Critical Arbitrary File Upload Vulnerability in Ninja Forms Plugin Exposes WordPress Sites to RCE
A critical arbitrary file upload vulnerability (CVSS 9.8) in the Ninja in the Ninja Forms – File Upload Plugin for WordPress allows unauthenticated attackers to upload malicious files and achieve remote code execution, affecting versions up to 3.3.26.
A critical arbitrary file upload vulnerability in the Ninja Forms – File Upload Plugin has been identified, exposing thousands of WordPress sites to potential compromise. The issue affects plugin versions up to 3.3.26 and allows unauthenticated attackers to upload malicious files, potentially leading to remote code execution (RCE). The flaw carries a CVSS score of 9.8, reflecting its critical severity.
The vulnerability stems from insufficient file validation in the plugin's upload handling function. While some validation checks exist, they fail to properly verify file types and extensions during the upload process. This gap allows attackers to upload files with dangerous extensions such as .php, manipulate filenames to bypass safeguards, use path traversal techniques to place files in sensitive directories, and execute malicious code remotely after upload. As a result, attackers could gain full control of affected websites, often by deploying webshells or similar tools.
The vulnerability was discovered by security researcher Sélim Lanouar, known as whattheslime, who reported it through the Wordfence Bug Bounty Program. He reportedly received a $2,145 reward for the finding. In an advisory published on Monday, Wordfence said it acted quickly following the report on January 8, 2026. "We validated the report and confirmed the proof-of-concept PoC exploit," the team said.
The plugin developer issued a partial fix on February 10, followed by a complete patch on March 19 with version 3.3.27. Users are strongly advised to update immediately to the latest version. Delays in patching could leave sites open to exploitation, particularly given the ease of attack and lack of authentication required.
This vulnerability is particularly concerning due to the widespread use of the Ninja Forms plugin, which is installed on over 1 million WordPress sites. The lack of authentication required for exploitation means that any unauthenticated visitor to a vulnerable site could potentially compromise it. The ability to upload arbitrary files, including PHP webshells, gives attackers a direct path to remote code execution and full site takeover of the server.
The discovery highlights the ongoing risks associated with third-party plugins in the WordPress ecosystem. While the platform itself is generally secure, plugins often introduce vulnerabilities that can be exploited at scale. The Wordfence bug bounty program continues to play a crucial role in identifying and addressing such flaws before they can be widely exploited.
Users of the Ninja Forms – File Upload Plugin should verify they are running version 3.3.27 or later. Site administrators should also review their file upload configurations and consider implementing additional security measures such as web application firewalls and file type restrictions to mitigate similar risks in other plugins.