Critical severity9.8NVD Advisory· Published Mar 23, 2022· Updated Apr 8, 2026

CVE-2022-0888

Description

The Ninja Forms - File Uploads Extension WordPress plugin is vulnerable to arbitrary file uploads due to insufficient input file type validation found in the ~/includes/ajax/controllers/uploads.php file which can be bypassed making it possible for unauthenticated attackers to upload malicious files that can be used to obtain remote code execution, in versions up to and including 3.3.0

Affected products

Ninjaforms/Ninja Forms File Uploads
cpe:2.3:a:ninjaforms:ninja_forms_file_uploads:*:*:*:*:*:wordpress:*:*
Range: <=3.3.0

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

gist.github.com/Xib3rR4dAr/5f0accbbfdee279c68ed144da9cd8607nvdExploitPatchThird Party Advisory
www.wordfence.com/vulnerability-advisories/nvdThird Party Advisory
www.wordfence.com/threat-intel/vulnerabilities/id/f00eeaef-f277-481f-9e18-bf1ced0015a0nvd

News mentions

No linked articles in our index yet.

cvss	0.637
epss	0.007
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000