A serious security flaw has been discovered in the Ninja Forms File Uploads add-on for WordPress, allowing attackers to upload malicious files without needing to log in.
The vulnerability, tracked as CVE-2026-0740, is already being actively exploited, with security firm Wordfence reporting that it blocked more than 3,600 attacks in just 24 hours.
Ninja Forms is a widely used form builder plugin with over 600,000 downloads, and its File Upload extension is used by around 90,000 customers. The vulnerability carries a critical severity score of 9.8 out of 10 and affects versions up to 3.3.26.
According to researchers, the issue exists because the plugin fails to properly validate file types and extensions during uploads. This means attackers can upload any file, including harmful PHP scripts, and even manipulate file paths to place those files in sensitive locations like the webroot directory.
Because there are no checks on file names or extensions, attackers can bypass restrictions and upload malicious code directly to the server. Once uploaded, these files can be accessed remotely, allowing attackers to execute code on the affected website.
This kind of access can lead to serious consequences, including the installation of web shells or even a full takeover of the site.
The vulnerability was discovered by security researcher Sélim Lanouar and reported through Wordfence’s bug bounty program on January 8. Wordfence quickly shared the details with the plugin developer and rolled out temporary protections through its firewall.
If this article helped you, please consider supporting our work. Every small contribution keeps Abijita.com independent and running.
After an initial partial fix in February, the developer released a complete patch in version 3.3.27 on March 19. Given the ongoing attacks, users are strongly urged to update to the latest version as soon as possible to stay protected.
