A serious security vulnerability has put nearly 50,000 WordPress websites at significant risk. Specifically, the issue affects the widely used “Ninja Forms – File Upload” plugin, exposing sites to potential full takeover if left unpatched.
Security experts have identified this flaw as CVE-2026-0740, and notably, it carries a critical CVSS score of 9.8. As a result, it ranks among the most severe vulnerabilities and demands immediate action from website owners and administrators.
Researcher Sélim Lanouar discovered this vulnerability and received a $2,145 bug bounty for the finding. Importantly, the flaw falls under the category of an Unauthenticated Arbitrary File Upload vulnerability. In practical terms, this means attackers do not need login credentials or any level of access to exploit the issue. Instead, they can directly upload malicious files to a vulnerable website.
Once attackers exploit this weakness, they can execute Remote Code Execution (RCE). Consequently, they gain full control over the affected server, opening the door to a wide range of malicious activities.
How the Vulnerability Works
The issue originates from how the Ninja Forms File Upload addon processes user-submitted files. Typically, the plugin uses the handle_upload() function, which then calls the _process() method to move uploaded files to their final storage location.
Although the plugin attempts to validate the uploaded file type, a critical gap appears during the final step. Specifically, the system fails to properly verify the file extension of the destination file when executing the move_uploaded_file() function. Moreover, it does not adequately sanitize file names.
Because of this oversight, attackers can exploit a technique known as path traversal. By manipulating file paths, they can bypass security restrictions and upload dangerous files—such as malicious .php scripts—directly into sensitive directories like the website’s root folder.
Impact of the Exploit
Once attackers upload a malicious PHP file, often referred to as a webshell, they can execute commands on the server remotely. As a result, they can completely compromise the website.
Furthermore, attackers may steal sensitive database information, inject malicious code into legitimate web pages, or redirect users to harmful spam or phishing sites. In addition, compromised servers can become launchpads for further cyberattacks, amplifying the overall threat.
Patch and Mitigation Steps
The vulnerability impacts all plugin versions up to and including 3.3.26. However, security teams responded quickly. Wordfence initially deployed firewall protections for premium users on January 8, 2026, and later extended coverage to free users by February 7.
Meanwhile, the plugin developers worked on a fix. They released a partial patch in version 3.3.25 and ultimately delivered a complete fix in version 3.3.27 on March 19, 2026.
Therefore, if you are using the Ninja Forms File Upload plugin, you should immediately update to version 3.3.27 or later. Since this vulnerability requires no authentication and is easy to exploit, unpatched websites remain highly vulnerable to automated attacks scanning the internet for weak targets.
Recommended Cyber Technology News:
- Cycore Helps Cocoon Achieve SOC 2 Compliance Fast
- QuiX Quantum Achieves Breakthrough in Photonic Error Mitigation
- Microsoft Teams Fake Domains Used to Spread Malware
To participate in our interviews, please write to our CyberTech Media Room at info@intentamplify.com
