Ninja Forms - Critical Flaw Allows Remote Code Execution

What Happened

A critical vulnerability has been discovered in the Ninja Forms File Uploads premium add-on for WordPress. This flaw allows attackers to upload arbitrary files without authentication, leading to potential remote code execution. Identified as CVE-2026-0740, this issue is currently being exploited in the wild.

Who's Affected

The Ninja Forms plugin, which has over 600,000 downloads, is widely used to create forms on WordPress sites. Specifically, the vulnerability affects versions up to 3.3.26 of the File Upload extension, which serves around 90,000 customers.

What Data Was Exposed

Due to the lack of validation on file types and extensions, attackers can upload harmful files, including PHP scripts. This opens the door for path traversal attacks, enabling unauthorized access to sensitive areas of the server. The potential consequences include the deployment of web shells and complete site takeovers.

What You Should Do

Users of the Ninja Forms File Upload add-on are strongly advised to upgrade to the latest version, 3.3.27, which includes a complete fix. Wordfence, a WordPress security company, has already blocked over 3,600 attacks related to this vulnerability in just 24 hours. If you haven't updated yet, do so immediately to protect your site from exploitation.

Discovery and Fixes

The vulnerability was discovered by security researcher Sélim Lanouar and reported through Wordfence’s bug bounty program on January 8. Following validation, Wordfence disclosed the vulnerability to the vendor and implemented temporary mitigations. The vendor released a partial fix on February 10, followed by a complete fix on March 19. Given the ongoing exploitation attempts, timely updates are crucial for all users.