Critical Ninja Forms RCE Vulnerability Exposes 50,000 WordPress Sites
Key Takeaways A critical arbitrary file upload vulnerability (CVE-2026-0740) has been discovered in the Ninja Forms – File Upload WordPress plugin. Approximately 50,000 WordPress websites using this...
Key Takeaways
- A critical arbitrary file upload vulnerability (CVE-2026-0740) has been discovered in the Ninja Forms – File Upload WordPress plugin.
- Approximately 50,000 WordPress websites using this add-on are exposed to potential remote code execution (RCE) and full site compromise.
- The flaw carries a CVSS score of 9.8, indicating maximum severity, and allows unauthenticated attackers to upload malicious files.
- A complete patch is available in version 3.3.27 of the plugin; immediate updates are strongly advised.
An urgent security warning has been issued for an estimated 50,000 WordPress websites, which are at risk of complete compromise due to a critical remote code execution (RCE) vulnerability in the widely utilized “Ninja Forms – File Upload” plugin. This flaw, identified as CVE-2026-0740, has been assigned a maximum CVSS severity score of 9.8, underscoring the immediate danger it poses to site administrators.
Table Of Content
The vulnerability was brought to light by security researcher Sélim Lanouar, who received a $2,145 bug bounty for the discovery. It is categorized as an Unauthenticated Arbitrary File Upload, meaning malicious actors can upload any file type to a vulnerable website without requiring any form of authentication, such as a username or password. Successful exploitation grants attackers full control over the underlying web server.
Understanding the Vulnerability
The Ninja Forms File Upload add-on is designed to handle user-submitted files through its handle_upload() PHP function. This function subsequently invokes the _process() method to transfer temporary uploads to their designated server location. While the plugin attempts to verify the file type of the initial upload, a critical security lapse occurs just before the file is permanently saved.
The core issue lies in the plugin’s failure to adequately validate the file extension of the destination filename during the move_uploaded_file() operation. Compounding this, the plugin also lacks robust filename sanitization. This dangerous combination enables attackers to exploit a path traversal technique, manipulating the file path to bypass security checks.
By leveraging this flaw, a threat actor can upload malicious .php files directly into the website’s root directory, circumventing normal safety protocols. Once a malicious PHP script, commonly referred to as a webshell, is successfully uploaded and executed, the consequences are severe. Attackers gain the ability to execute terminal commands on the web server, leading to a complete compromise of the site. This access can be used to exfiltrate sensitive database information, inject malware into legitimate web pages, redirect visitors to malicious spam sites, or utilize the compromised server as a launchpad for further cyberattacks.
Affected Versions and Remediation
The vulnerability affects all versions of the Ninja Forms File Upload plugin up to and including version 3.3.26. Security firm Wordfence initially received the bug report and implemented firewall protections for its premium users on January 8, 2026, extending these protections to free users by February 7. The plugin developers addressed the issue, releasing a partial fix in version 3.3.25 and a comprehensive, final patch in version 3.3.27 on March 19, 2026.
What You Should Do
- Immediately update your Ninja Forms – File Upload plugin to version 3.3.27 or higher.
- Regularly back up your WordPress website to facilitate recovery in case of compromise.
- Implement a robust web application firewall (WAF) to provide an additional layer of protection against known and emerging threats.
- Monitor your website logs for any suspicious file uploads or unauthorized access attempts.
- Educate your team on common web vulnerabilities and the importance of timely updates.
Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.



No Comment! Be the first one.