A critical unauthenticated arbitrary file upload vulnerability, CVE-2026-0740, is actively being exploited in the wild, putting approximately 50,000 WordPress websites running the Ninja Forms File Uploads plugin at immediate risk of complete server takeover.
A maximum-severity vulnerability in the Ninja Forms – File Uploads premium extension for WordPress that allows attackers to upload arbitrary files, including PHP web shells, without any authentication whatsoever.
Tracked as CVE-2026-0740 and carrying a CVSS v3.1 base score of 9.8 (Critical), the flaw resides in the NF_FU_AJAX_Controllers_Uploads::handle_upload function, which fails to validate file types or extensions before executing the file move operation.
The vulnerability is classified under CWE-434 (Unrestricted Upload of File with Dangerous Type), one of the most dangerous weakness categories in web application security.
The vulnerability affects all versions of Ninja Forms – File Uploads up to and including 3.3.26. Because the plugin handles unauthenticated AJAX requests via the WordPress /wp-admin/admin-ajax.php endpoint, any internet-exposed WordPress site running the affected plugin version becomes an immediate, no-login-required target.
The exploitation chain is deceptively simple and can be automated with publicly available proof-of-concept tools. An attacker begins by requesting a nonce token through the nf_fu_get_new_nonce AJAX action, a publicly accessible endpoint that requires no credentials.
Once a valid nonce is obtained, the attacker invokes the nf_fu_upload action to submit a malicious file, typically a PHP web shell, to the server.
What makes CVE-2026-0740 especially dangerous is the dual-vector exploitation path: the plugin validates the source filename but completely ignores the destination filename, enabling attackers to bypass any extension-based allowlist.
Furthermore, because no filename sanitization is applied to the destination path, the vulnerability simultaneously enables path traversal, allowing the attacker to move the uploaded file outside the intended upload directory and into the web root, making the uploaded shell directly accessible and executable via a browser.
Successful exploitation allows an attacker to execute arbitrary commands on the underlying web server, exfiltrate sensitive data, deploy persistent backdoors, pivot deeper into the hosting environment, and achieve a complete site takeover. No user interaction and no elevated privileges are required, earning this flaw its near-perfect CVSS severity score.
Exploitation in the Wild
This vulnerability is not theoretical; it is actively being weaponized. According to WordPress security firm Defiant, its Wordfence firewall blocked more than 3,600 exploitation attempts within a single 24-hour window, signaling that threat actors are conducting automated, large-scale scanning campaigns targeting vulnerable installations.
The attack surface is alarmingly broad. Ninja Forms is one of WordPress’s most popular form builder plugins, with over 600,000 total downloads and the File Uploads extension serving approximately 90,000 customers, of which roughly 50,000 active sites remain at risk.
Because this is a premium plugin distributed outside the WordPress.org repository, patch adoption is expected to lag significantly behind that of free plugins, leaving many sites on vulnerable versions for an extended period.
The vulnerability was originally discovered by security researcher Sélim Lanouar (whattheslime), who submitted it to Wordfence’s bug bounty program on January 8, 2026. A partial fix was issued in version 3.3.25 on February 10, 2026, but it failed to close all bypass vectors. The vendor released a complete remediation in version 3.3.27 on March 19, 2026.
Affected Component and Technical Detail
| Detail | Value |
|---|---|
| Plugin | Ninja Forms – File Uploads |
| Affected Versions | ≤ 3.3.26 |
| Fixed Version | 3.3.27 (March 19, 2026) |
| CVSS v3.1 Score | 9.8 (Critical) |
| CWE | CWE-434 |
| Vulnerable Function | NF_FU_AJAX_Controllers_Uploads::handle_upload |
| Attack Vector | Network (Unauthenticated) |
| Impact | Remote Code Execution, Full Site Takeover |
Mitigation and Recommended Actions
Security teams and WordPress administrators should treat this vulnerability as a P1 emergency and take immediate action:
- Update immediately to Ninja Forms – File Uploads version 3.3.27 via the official ninjaforms.com vendor channel; do not assume auto-updates have applied the patch for premium extensions
- Disable file upload forms temporarily if the update cannot be applied immediately, or restrict submission to authenticated users only
- Deploy WAF rules to block requests uploading PHP, PHTML, or other server-side executable file types through the affected AJAX endpoints
- Configure upload directories (
/wp-content/uploads/) to deny server-side execution of any uploaded files regardless of extension - Audit existing uploads for unexpected PHP files or webshells that may have been planted before patching
- Enable Wordfence or an equivalent firewall to detect and block ongoing exploitation attempts in real time
Sites running version 3.3.25 should not consider themselves protected; this partial patch still contains exploitable bypass vectors and must be upgraded to 3.3.27.
FAQ
Q1: What is CVE-2026-0740?
CVE-2026-0740 is a critical, unauthenticated, arbitrary-file-upload vulnerability (CVSS 9.8) in the Ninja Forms – File Uploads WordPress plugin versions ≤ 3.3.26, allowing attackers to upload PHP shells and execute arbitrary code remotely without any login credentials.
Q2: Which versions of Ninja Forms File Uploads are affected?
All versions up to and including 3.3.26 are vulnerable; the flaw was only fully patched in version 3.3.27, released March 19, 2026, while version 3.3.25 contained an incomplete fix that still left bypass paths open.
Q3: Is CVE-2026-0740 actively being exploited?
Yes, Wordfence confirmed the vulnerability is actively exploited in the wild, with its firewall blocking over 3,600 attack attempts in a single 24-hour period targeting the approximately 50,000 vulnerable WordPress installations.
Q4: How can WordPress administrators fix CVE-2026-0740?
Administrators should immediately update the Ninja Forms – File Uploads extension to version 3.3.27, deploy WAF rules blocking executable file uploads, restrict the upload directory from executing server-side scripts, and audit the server for any previously uploaded webshells.
About the Author
