CVE-2026-0740: critical failure in Ninja Forms File Uploads allows remote code execution without authentication

A critical failure in Ninja Forms' premium File Uploads plugin for WordPress is being exploited in practice and can allow attackers to upload arbitrary files without authentication, with the real risk of remote code execution at vulnerable sites. Vulnerability, recorded as CVE-2026-0740, received a very high gravity score (CVSS 9.8 / 10) and affects the versions of Ninja Forms File Upload until 3.3.26; the developer published a complete correction in version 3.3.27 on March 19.

Ninja Forms is a very widespread tool for creating WordPress forms using a visual interface; the base plugin accumulates more than 600,000 downloads and its file uploading extension serves tens of thousands of customers, according to their own figures on the extension page ( about 90,000 customers). This popularity makes vulnerable extension an attractive target for attackers: the Wordfence security company has reported thousands of attempts to exploit every day and has blocked more than 3,600 attacks in 24 hours on their protective walls.

What is the technical problem? According to the analysis of the Wordfence researchers, the vulnerable function does not value the extension or type of the file in the destination name before moving the file to the disk. This absence of controls allows you to upload files with dangerous extensions - e.g. .php - and, in addition, to manipulate the name to generate directory crossings that place the file on accessible routes from the web server. As a result, a malicious actor can place a PHP script inside the public site tree and, by accessing it from the browser, run code on the server.

The practical consequences range from the implementation of web shells that provide remote control, to the complete site supplanting and use of the server for malicious activities. Given the ease of operation (no authentication is required) and the ability to run code, vulnerability represents an immediate risk to any installation that still uses a vulnerable version of the supplement.

The finding was reported by researcher Sélim Lanouar (known as whattheslime) through the Wordfence rewards program on January 8. Wordfence validated the report, communicated the details to the supplier and deployed temporary rules in its firewall to mitigate the threat to its customers while working on the correction. After an initial review and a partial correction in February, the supplier published the final correction in version 3.3.27 on March 19; the summary and schedule of the disclosure are available in the technical analysis of Wordfence ( WordPress blog entry).

If you manage a site using Ninja Forms with file loading extension, the immediate and most effective recommendation is to update to version 3.3.27 or later as soon as possible. Updating is the safest way to remove the opportunity window the attackers are exploiting. If for some reason you cannot apply the update immediately, there are temporary measures that reduce the risk: enable web application firewall (WAF) rules such as Wordfence, disable the File Uploads extension until it can be patched, and apply restrictions on the server that prevent the execution of PHP files in the upload directories.

In addition to patching, it is appropriate to review commitment signals: inspect access and upload loops for unusual requests to the loading endpoint, search for new or suspicious PHP files within the media directory or in the public root, and scan the site with malware detection tools. If an intrusion is confirmed, it is wise to take the offline site temporarily, remove the detected back doors, restore from clean copies and rotate associated credentials (WordPress administrators, FTP / SFTP, hosting panel). It is also recommended to review file system permissions and disable PHP execution on uploads folders by setting up the web server (html access, Nginx, etc.).

To stay informed and deepen technical details and mitigation, the most complete public reports come from Wordfence and the official plugin page. The Wordfence technical notice and firewall rules are available on your portal ( vulnerability analysis and blog entry), while the official resources of Ninja Forms and the plugin page in the WordPress repository provide information about versions and downloads ( extension File Uploads, plugin page on WordPress.org).

In the WordPress ecosystem, these emergencies are a reminder that third-party components (plugins and extensions) can become critical attack vectors. Keeping plugins up to date, implementing server security policies and monitoring traffic and logs are essential practices to reduce risk. If you manage third-party or production sites, prioritize updates and consider implementing a WAF solution that blocks massive attempts at exploitation while completing the remediation tasks.