Ninja Forms File Upload Flaw: CVE-2026-0740

CVE-2026-0740: Unauthenticated File Upload to RCE in Ninja Forms

A critical vulnerability in the Ninja Forms File Upload premium add-on is being actively exploited in the wild. CVE-2026-0740 carries a CVSS score of 9.8 and allows unauthenticated attackers to upload arbitrary files, including PHP scripts, directly to WordPress servers. Wordfence's firewall blocked over 3,600 attacks in a single 24-hour window. If your site runs Ninja Forms File Upload version 3.3.26 or earlier, you are exposed right now.

The plugin has over 600,000 total downloads, and the File Upload extension specifically serves around 90,000 customers. That is a large target surface, and attackers are clearly aware of it.

How the Vulnerability Works

The root cause is straightforward and unforgiving. The plugin's file upload function performs no validation of file types or extensions on the destination filename before executing the move operation. That means an attacker can submit a request with a .php file and the server will accept it without any authentication check.

It gets worse. The same function lacks filename sanitization entirely. That opens the door to path traversal attacks, where the attacker manipulates the filename parameter to move the uploaded file outside the intended upload directory, including directly into the webroot. Once a PHP file lands in a web-accessible location, executing it is trivial. A single HTTP request to the uploaded file is enough to trigger remote code execution on the server.

The attack chain is: unauthenticated upload request, path traversal to webroot, PHP execution. No credentials required at any step.

What Attackers Can Do After Exploitation

Getting arbitrary PHP execution on a WordPress server means full compromise is on the table. Attackers typically deploy web shells, which give persistent, interactive access to the filesystem and allow running system commands. From there, credential harvesting, lateral movement, database exfiltration, and ransomware deployment all become viable next steps.

A complete site takeover is not a worst-case hypothetical here. It is the documented outcome of this attack class. WordPress sites holding customer data, payment info, or acting as infrastructure for downstream services face particularly severe consequences.

How to Fix and Detect the Issue

The vendor shipped a complete fix in version 3.3.27, released on March 19, 2026. Update immediately. There is no acceptable reason to delay this one given the active exploitation happening right now.

A few additional steps worth taking:

• Verify the update applied correctly. Check your plugin version in the WordPress admin dashboard under Plugins and confirm it shows 3.3.27 or later.
• Audit your uploads directory. Look for any .php files in wp-content/uploads or subdirectories. Those should not exist. Remove them and investigate how they got there.
• Check server logs. Look for POST requests to the file upload endpoint from unusual IP addresses, especially any requests that include path traversal characters like ../ in filenames.
• Enable a WAF. Wordfence and similar tools already have rules blocking CVE-2026-0740 exploitation attempts. If you are running a firewall with updated rules, those attempts are being stopped. If you are not, you have no active protection layer besides the patch itself.
• Run an automated scan against your WordPress installation. Tools like VibeWShield can surface misconfigured upload endpoints and other file handling weaknesses before attackers find them.

The vulnerability was originally reported by security researcher Sélim Lanouar on January 8 through Wordfence's bug bounty program. Wordfence pushed temporary firewall mitigations immediately, and a partial vendor fix came February 10. Full remediation landed six weeks later. If you were relying on the vendor timeline alone, you had a window of exposure.

For more context on WordPress plugin security, see our overview of critical RCE flaws in WordPress plugins.

Is version 3.3.27 sufficient, or do I need to do anything else after updating? Updating to 3.3.27 patches the vulnerability. After updating, audit your uploads directory for any .php files that should not be there. If you find any, your site may already be compromised and warrants a full forensic review.

How do I know if my site was already exploited before I patched? Check your web server access logs for POST requests to the Ninja Forms upload endpoint and look for any PHP files in your uploads directories. Web shells often have generic names. Running a malware scanner or a DAST tool against your site can also surface indicators of compromise.

Does this affect the free version of Ninja Forms? No. CVE-2026-0740 specifically affects the File Upload premium add-on, not the core free plugin. Sites running only the base Ninja Forms plugin without the File Upload extension are not vulnerable to this particular flaw.

Scan your WordPress site for file upload vulnerabilities and exposed endpoints with VibeWShield.