Critical Ninja Forms File Upload Plugin Vulnerability Under Active Exploitation
Attackers are actively exploiting CVE-2026-0740, a critical arbitrary file upload vulnerability in the Ninja Forms – File Upload WordPress plugin, with over 118,600 blocked exploit attempts since April 6, 2026.
Attackers are actively exploiting a critical arbitrary file upload vulnerability in the Ninja Forms – File Upload WordPress plugin, designated CVE-2026-0740. The flaw, which carries a CVSS score of 9.8, allows unauthenticated attackers to upload arbitrary files, including PHP backdoors, and achieve remote code execution on affected sites. The vendor released a fully patched version (3.3.27) on March 19, 2026, but exploitation began on April 6, 2026, the same day the vulnerability was publicly disclosed by Wordfence.
The vulnerability resides in the `NF_FU_AJAX_Controllers_Uploads::handle_upload` function, which fails to validate file types or sanitize filenames on the destination file. While the plugin checks the source filename's extension, it does not perform any checks on the final filename after upload. This oversight, combined with a lack of path traversal sanitization, enables an attacker to upload a file with a `.php` extension to any location on the server, including the webroot. To exploit the vulnerability, an attacker needs to find a page containing a Ninja Forms form with a file upload field.
The impact of this vulnerability is severe. Successful exploitation can lead to complete site compromise through the deployment of webshells and other malware. Wordfence has blocked over 118,600 exploit attempts since April 6, 2026. Example attack requests observed by Wordfence show attackers attempting to upload malicious PHP files and `.htaccess` files. One exploit uses a PDF file with a valid header but containing a PHP webshell that is saved with a `.php` extension, allowing the attacker to execute arbitrary code and upload additional malware.
The vulnerability affects all versions of the Ninja Forms – File Upload plugin up to and including 3.3.26. The issue was partially patched in version 3.3.25 and fully patched in version 3.3.27. Users are strongly urged to update to version 3.3.27 or later immediately. Wordfence Premium, Care, and Response users received a firewall rule on January 8, 2026, while free Wordfence users received the same protection on February 7, 2026.
This active exploitation underscores the importance of timely patching, especially for widely used plugins. With an estimated 50,000 active installations, the Ninja Forms – File Upload plugin represents a significant attack surface. Site administrators should verify that their sites are updated and consider additional security measures such as web application firewalls to mitigate the risk of exploitation.