Critical Unauthenticated File Upload Vulnerability in Ninja Forms – File Upload Plugin Affects 50,000 WordPress Sites
A critical arbitrary file upload vulnerability (CVE-2026-0740, CVSS 9.8) in the Ninja Forms – File Upload WordPress plugin allows unauthenticated attackers to achieve remote code execution on up to 50,000 sites.
A critical arbitrary file upload vulnerability has been disclosed in the Ninja Forms – File Upload WordPress plugin, affecting an estimated 50,000 active installations. Tracked as CVE-2026-0740 with a CVSS score of 9.8, the flaw allows unauthenticated attackers to upload arbitrary files to a vulnerable site's server, potentially leading to remote code execution. The vulnerability was discovered and responsibly reported by researcher Sélim Lanouar (whattheslime) through the Wordfence Bug Bounty Program, earning a $2,145 bounty.
The vulnerability resides in the `NF_FU_AJAX_Controllers_Uploads::handle_upload` function in all versions up to and including 3.3.26. The plugin, an addon for the popular Ninja Forms form builder, provides file upload capabilities. The `handle_upload` function processes file uploads via AJAX requests, calling the `_process()` method which uses `move_uploaded_file()` to save files to the uploads directory. Critically, the code lacked proper file type validation, allowing attackers to upload any file type, including executable PHP scripts.
The exploit chain is straightforward: an unauthenticated attacker can send a crafted request to the upload endpoint, bypassing the nonce check if the form ID is known or guessable. Once a malicious file is uploaded, the attacker can access it directly via the web server, achieving remote code execution. The vulnerability was partially patched in version 3.3.25 and fully patched in version 3.3.27, which adds file extension blacklisting and sanitization of user-provided filenames to prevent path traversal.
Wordfence Premium, Care, and Response users received a firewall rule to block exploits on January 8, 2026, the same day the vulnerability was reported. Free Wordfence users received the protection 30 days later on February 7, 2026. The plugin developer, Saturday Drive, released the first patch on February 10, 2026, and the second on March 19, 2026. Users are strongly urged to update to version 3.3.27 immediately.
This vulnerability is particularly dangerous because it requires no authentication and can be exploited remotely. With an estimated 50,000 active installations, the potential for widespread compromise is significant. Site administrators should verify they are running version 3.3.27 or later and consider additional security measures such as web application firewalls and file integrity monitoring. The disclosure highlights the ongoing risk posed by third-party plugins in the WordPress ecosystem and the importance of prompt patching.