A recently disclosed critical vulnerability in the Ninja Forms – File Uploads plugin for WordPress (CVE‑2026‑0740) allows unauthenticated remote attackers to upload arbitrary files, potentially leading to remote code execution and full site compromise.
Severity level:-
CVSS Score: 9.8/Critical.
Description:- The Ninja Forms – File Uploads plugin for WordPress fails to properly validate uploaded file types in the NF_FU_AJAX_Controllers_Uploads::handle_upload function. In vulnerable versions, this flaw allows unauthenticated attackers to upload arbitrary files, including malicious PHP scripts. Due to insufficient filename sanitization, attackers may also leverage path traversal techniques to place files in sensitive directories, such as the web root. Successful exploitation can result in remote code execution, web shell deployment, and complete takeover of the affected WordPress site.
Affected Versions :- Â
All versions up to and including 3.3.26.
Impact:-
Successful exploitation may result in Remote code execution on the server.
Resolution:-
Upgrade immediately to Ninja Forms – File Uploads plugin version 3.3.27 or later.
Reference:-
UIT Information Security