A critical vulnerability affecting Ninja Forms is actively being exploited, putting tens of thousands of websites at risk of full takeover. Discovered in the File Uploads add-on, the flaw—tracked as CVE-2026-0740—has a severe CVSS score of 9.8 and allows attackers to upload malicious files without authentication.
Security researchers at Defiant have observed thousands of exploitation attempts targeting this weakness. The issue stems from improper file validation within the upload function, which fails to adequately check file types and sanitize filenames. As a result, attackers can upload malicious PHP files directly to a website’s server.
Once uploaded, these files can be executed remotely, enabling attackers to gain full control over the compromised site. This includes deploying web shells, modifying website content, stealing sensitive data, or using the site as a launch point for further attacks. The vulnerability becomes even more dangerous due to path traversal capabilities, which allow attackers to place files in critical directories such as the webroot.
The flaw was originally identified by security researcher Sélim Lanouar through the Wordfence bug bounty program, highlighting the importance of coordinated vulnerability disclosure. However, the widespread use of the plugin—across approximately 50,000 websites—has made it an attractive target for threat actors looking to exploit unpatched systems.
Because the attack requires no authentication, it significantly lowers the barrier for exploitation, making even small or less-secured websites vulnerable. Once compromised, attackers can execute arbitrary code, effectively taking complete control of the affected environment.
To mitigate the risk, users are strongly advised to update to the latest patched version of the File Uploads add-on immediately. Delaying updates could leave websites exposed to ongoing automated attacks actively scanning for vulnerable installations.
This incident serves as a reminder of the critical importance of securing file upload functionality in web applications. Even a small validation oversight can lead to severe consequences, especially in widely deployed platforms like WordPress.
Recommended Cyber Technology News :
- Beaten Zone Secures AUD 17M Defence Fundraise
- Bridge Data Centres Replaces Tenant Amid Nvidia Chip Probe
- ZeroFox Highlights AI-Driven Threat Intelligence
To participate in our interviews, please write to our CyberTech Media Room at info@intentamplify.com
