{"id":2668,"date":"2026-04-14T10:23:53","date_gmt":"2026-04-14T14:23:53","guid":{"rendered":"https:\/\/www.yorku.ca\/uit\/infosec\/?p=2668"},"modified":"2026-04-14T10:23:56","modified_gmt":"2026-04-14T14:23:56","slug":"ninja-forms-wordpress-plugin-vulnerability-cve-2026-0740","status":"publish","type":"post","link":"https:\/\/www.yorku.ca\/uit\/infosec\/2026\/04\/14\/ninja-forms-wordpress-plugin-vulnerability-cve-2026-0740\/","title":{"rendered":"Ninja Forms WordPress Plugin Vulnerability (CVE-2026-0740)"},"content":{"rendered":"\n<p>A recently disclosed critical vulnerability in the Ninja Forms \u2013 File Uploads plugin for WordPress (CVE\u20112026\u20110740) allows unauthenticated remote attackers to upload arbitrary files, potentially leading to remote code execution and full site compromise.<\/p>\n\n\n\n<p><strong>Severity level<\/strong>:-<\/p>\n\n\n\n<p>CVSS Score: 9.8\/Critical.<\/p>\n\n\n\n<p><strong>Description<\/strong>:- &nbsp;The Ninja Forms \u2013 File Uploads plugin for WordPress fails to properly validate uploaded file types in the NF_FU_AJAX_Controllers_Uploads::handle_upload function. In vulnerable versions, this flaw allows unauthenticated attackers to upload arbitrary files, including malicious PHP scripts. Due to insufficient filename sanitization, attackers may also leverage path traversal techniques to place files in sensitive directories, such as the web root. Successful exploitation can result in <strong>remote code execution<\/strong>, web shell deployment, and complete takeover of the affected WordPress site.<\/p>\n\n\n\n<p><strong>Affected Versions\u00a0:-\u00a0 \u00a0<\/strong><\/p>\n\n\n\n<p>                                   All versions up to and including 3.3.26.<\/p>\n\n\n\n<p><strong>Impact:-<\/strong><\/p>\n\n\n\n<p>Successful exploitation may result in Remote code execution on the server.<\/p>\n\n\n\n<p><strong>Resolution:-<\/strong><\/p>\n\n\n\n<p>Upgrade immediately to Ninja Forms \u2013 File Uploads plugin version 3.3.27 or later.<\/p>\n\n\n\n<p><strong>Reference:-<\/strong><\/p>\n\n\n\n<p><a href=\"https:\/\/nvd.nist.gov\/vuln\/detail\/CVE-2026-0740\">https:\/\/nvd.nist.gov\/vuln\/detail\/CVE-2026-0740<\/a><\/p>\n\n\n\n<p><a href=\"https:\/\/www.bleepingcomputer.com\/news\/security\/hackers-exploit-critical-flaw-in-ninja-forms-wordpress-plugin\">https:\/\/www.bleepingcomputer.com\/news\/security\/hackers-exploit-critical-flaw-in-ninja-forms-wordpress-plugin<\/a><\/p>\n\n\n\n<p><a href=\"https:\/\/www.securityweek.com\/hackers-targeting-critical-ninja-forms-bug-that-exposes-wordpress-sites-to-takeover\">https:\/\/www.securityweek.com\/hackers-targeting-critical-ninja-forms-bug-that-exposes-wordpress-sites-to-takeover<\/a><\/p>\n\n\n\n<p><a href=\"https:\/\/www.wordfence.com\/blog\/2026\/04\/50000-wordpress-sites-affected-by-arbitrary-file-upload-vulnerability-in-ninja-forms-file-upload-wordpress-plugin\">https:\/\/www.wordfence.com\/blog\/2026\/04\/50000-wordpress-sites-affected-by-arbitrary-file-upload-vulnerability-in-ninja-forms-file-upload-wordpress-plugin<\/a><\/p>\n\n\n\n<p>UIT Information&nbsp;Security<\/p>\n","protected":false},"excerpt":{"rendered":"<p>A recently disclosed critical vulnerability in the Ninja Forms \u2013 File Uploads plugin for WordPress (CVE\u20112026\u20110740) allows unauthenticated remote attackers to upload arbitrary files, potentially leading to remote code execution and full site compromise. Severity level:- CVSS Score: 9.8\/Critical. Description:- &nbsp;The Ninja Forms \u2013 File Uploads plugin for WordPress fails to properly validate uploaded file [&hellip;]<\/p>\n","protected":false},"author":2694,"featured_media":0,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_kad_blocks_custom_css":"","_kad_blocks_head_custom_js":"","_kad_blocks_body_custom_js":"","_kad_blocks_footer_custom_js":"","ngg_post_thumbnail":0,"footnotes":""},"categories":[31],"tags":[],"class_list":["post-2668","post","type-post","status-publish","format-standard","hentry","category-vulnerabilities"],"yoast_head":"<!-- This site is optimized with the Yoast SEO plugin v27.4 - https:\/\/yoast.com\/product\/yoast-seo-wordpress\/ -->\n<title>Ninja Forms WordPress Plugin Vulnerability (CVE-2026-0740) - Information Security<\/title>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/www.yorku.ca\/uit\/infosec\/2026\/04\/14\/ninja-forms-wordpress-plugin-vulnerability-cve-2026-0740\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"Ninja Forms WordPress Plugin Vulnerability (CVE-2026-0740) - Information Security\" \/>\n<meta property=\"og:description\" content=\"A recently disclosed critical vulnerability in the Ninja Forms \u2013 File Uploads plugin for WordPress (CVE\u20112026\u20110740) allows unauthenticated remote attackers to upload arbitrary files, potentially leading to remote code execution and full site compromise. Severity level:- CVSS Score: 9.8\/Critical. Description:- &nbsp;The Ninja Forms \u2013 File Uploads plugin for WordPress fails to properly validate uploaded file [&hellip;]\" \/>\n<meta property=\"og:url\" content=\"https:\/\/www.yorku.ca\/uit\/infosec\/2026\/04\/14\/ninja-forms-wordpress-plugin-vulnerability-cve-2026-0740\/\" \/>\n<meta property=\"og:site_name\" content=\"Information Security\" \/>\n<meta property=\"article:published_time\" content=\"2026-04-14T14:23:53+00:00\" \/>\n<meta property=\"article:modified_time\" content=\"2026-04-14T14:23:56+00:00\" \/>\n<meta name=\"author\" content=\"kasingh\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"kasingh\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"1 minute\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\\\/\\\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\\\/\\\/www.yorku.ca\\\/uit\\\/infosec\\\/2026\\\/04\\\/14\\\/ninja-forms-wordpress-plugin-vulnerability-cve-2026-0740\\\/#article\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/www.yorku.ca\\\/uit\\\/infosec\\\/2026\\\/04\\\/14\\\/ninja-forms-wordpress-plugin-vulnerability-cve-2026-0740\\\/\"},\"author\":{\"name\":\"kasingh\",\"@id\":\"https:\\\/\\\/www.yorku.ca\\\/uit\\\/infosec\\\/#\\\/schema\\\/person\\\/206ba07b2fdc716dbfb162fe95aa60ee\"},\"headline\":\"Ninja Forms WordPress Plugin Vulnerability (CVE-2026-0740)\",\"datePublished\":\"2026-04-14T14:23:53+00:00\",\"dateModified\":\"2026-04-14T14:23:56+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\\\/\\\/www.yorku.ca\\\/uit\\\/infosec\\\/2026\\\/04\\\/14\\\/ninja-forms-wordpress-plugin-vulnerability-cve-2026-0740\\\/\"},\"wordCount\":199,\"publisher\":{\"@id\":\"https:\\\/\\\/www.yorku.ca\\\/uit\\\/infosec\\\/#organization\"},\"articleSection\":[\"Vulnerabilities\"],\"inLanguage\":\"en-CA\"},{\"@type\":\"WebPage\",\"@id\":\"https:\\\/\\\/www.yorku.ca\\\/uit\\\/infosec\\\/2026\\\/04\\\/14\\\/ninja-forms-wordpress-plugin-vulnerability-cve-2026-0740\\\/\",\"url\":\"https:\\\/\\\/www.yorku.ca\\\/uit\\\/infosec\\\/2026\\\/04\\\/14\\\/ninja-forms-wordpress-plugin-vulnerability-cve-2026-0740\\\/\",\"name\":\"Ninja Forms WordPress Plugin Vulnerability (CVE-2026-0740) - Information Security\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/www.yorku.ca\\\/uit\\\/infosec\\\/#website\"},\"datePublished\":\"2026-04-14T14:23:53+00:00\",\"dateModified\":\"2026-04-14T14:23:56+00:00\",\"breadcrumb\":{\"@id\":\"https:\\\/\\\/www.yorku.ca\\\/uit\\\/infosec\\\/2026\\\/04\\\/14\\\/ninja-forms-wordpress-plugin-vulnerability-cve-2026-0740\\\/#breadcrumb\"},\"inLanguage\":\"en-CA\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\\\/\\\/www.yorku.ca\\\/uit\\\/infosec\\\/2026\\\/04\\\/14\\\/ninja-forms-wordpress-plugin-vulnerability-cve-2026-0740\\\/\"]}]},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\\\/\\\/www.yorku.ca\\\/uit\\\/infosec\\\/2026\\\/04\\\/14\\\/ninja-forms-wordpress-plugin-vulnerability-cve-2026-0740\\\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\\\/\\\/www.yorku.ca\\\/uit\\\/infosec\\\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Ninja Forms WordPress Plugin Vulnerability (CVE-2026-0740)\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\\\/\\\/www.yorku.ca\\\/uit\\\/infosec\\\/#website\",\"url\":\"https:\\\/\\\/www.yorku.ca\\\/uit\\\/infosec\\\/\",\"name\":\"Information Security\",\"description\":\"\",\"publisher\":{\"@id\":\"https:\\\/\\\/www.yorku.ca\\\/uit\\\/infosec\\\/#organization\"},\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\\\/\\\/www.yorku.ca\\\/uit\\\/infosec\\\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-CA\"},{\"@type\":\"Organization\",\"@id\":\"https:\\\/\\\/www.yorku.ca\\\/uit\\\/infosec\\\/#organization\",\"name\":\"Information Security\",\"url\":\"https:\\\/\\\/www.yorku.ca\\\/uit\\\/infosec\\\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-CA\",\"@id\":\"https:\\\/\\\/www.yorku.ca\\\/uit\\\/infosec\\\/#\\\/schema\\\/logo\\\/image\\\/\",\"url\":\"https:\\\/\\\/www.yorku.ca\\\/uit\\\/infosec\\\/wp-content\\\/uploads\\\/sites\\\/806\\\/2025\\\/05\\\/Image-4.png\",\"contentUrl\":\"https:\\\/\\\/www.yorku.ca\\\/uit\\\/infosec\\\/wp-content\\\/uploads\\\/sites\\\/806\\\/2025\\\/05\\\/Image-4.png\",\"width\":1024,\"height\":1024,\"caption\":\"Information Security\"},\"image\":{\"@id\":\"https:\\\/\\\/www.yorku.ca\\\/uit\\\/infosec\\\/#\\\/schema\\\/logo\\\/image\\\/\"}},{\"@type\":\"Person\",\"@id\":\"https:\\\/\\\/www.yorku.ca\\\/uit\\\/infosec\\\/#\\\/schema\\\/person\\\/206ba07b2fdc716dbfb162fe95aa60ee\",\"name\":\"kasingh\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-CA\",\"@id\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/c8a14e9f369169760b25636109e5d366baf391d45d3aa148137036b64cc6bb48?s=96&d=mm&r=g\",\"url\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/c8a14e9f369169760b25636109e5d366baf391d45d3aa148137036b64cc6bb48?s=96&d=mm&r=g\",\"contentUrl\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/c8a14e9f369169760b25636109e5d366baf391d45d3aa148137036b64cc6bb48?s=96&d=mm&r=g\",\"caption\":\"kasingh\"},\"url\":\"https:\\\/\\\/www.yorku.ca\\\/uit\\\/infosec\\\/author\\\/kasingh\\\/\"}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"Ninja Forms WordPress Plugin Vulnerability (CVE-2026-0740) - Information Security","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/www.yorku.ca\/uit\/infosec\/2026\/04\/14\/ninja-forms-wordpress-plugin-vulnerability-cve-2026-0740\/","og_locale":"en_US","og_type":"article","og_title":"Ninja Forms WordPress Plugin Vulnerability (CVE-2026-0740) - Information Security","og_description":"A recently disclosed critical vulnerability in the Ninja Forms \u2013 File Uploads plugin for WordPress (CVE\u20112026\u20110740) allows unauthenticated remote attackers to upload arbitrary files, potentially leading to remote code execution and full site compromise. Severity level:- CVSS Score: 9.8\/Critical. Description:- &nbsp;The Ninja Forms \u2013 File Uploads plugin for WordPress fails to properly validate uploaded file [&hellip;]","og_url":"https:\/\/www.yorku.ca\/uit\/infosec\/2026\/04\/14\/ninja-forms-wordpress-plugin-vulnerability-cve-2026-0740\/","og_site_name":"Information Security","article_published_time":"2026-04-14T14:23:53+00:00","article_modified_time":"2026-04-14T14:23:56+00:00","author":"kasingh","twitter_card":"summary_large_image","twitter_misc":{"Written by":"kasingh","Est. reading time":"1 minute"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/www.yorku.ca\/uit\/infosec\/2026\/04\/14\/ninja-forms-wordpress-plugin-vulnerability-cve-2026-0740\/#article","isPartOf":{"@id":"https:\/\/www.yorku.ca\/uit\/infosec\/2026\/04\/14\/ninja-forms-wordpress-plugin-vulnerability-cve-2026-0740\/"},"author":{"name":"kasingh","@id":"https:\/\/www.yorku.ca\/uit\/infosec\/#\/schema\/person\/206ba07b2fdc716dbfb162fe95aa60ee"},"headline":"Ninja Forms WordPress Plugin Vulnerability (CVE-2026-0740)","datePublished":"2026-04-14T14:23:53+00:00","dateModified":"2026-04-14T14:23:56+00:00","mainEntityOfPage":{"@id":"https:\/\/www.yorku.ca\/uit\/infosec\/2026\/04\/14\/ninja-forms-wordpress-plugin-vulnerability-cve-2026-0740\/"},"wordCount":199,"publisher":{"@id":"https:\/\/www.yorku.ca\/uit\/infosec\/#organization"},"articleSection":["Vulnerabilities"],"inLanguage":"en-CA"},{"@type":"WebPage","@id":"https:\/\/www.yorku.ca\/uit\/infosec\/2026\/04\/14\/ninja-forms-wordpress-plugin-vulnerability-cve-2026-0740\/","url":"https:\/\/www.yorku.ca\/uit\/infosec\/2026\/04\/14\/ninja-forms-wordpress-plugin-vulnerability-cve-2026-0740\/","name":"Ninja Forms WordPress Plugin Vulnerability (CVE-2026-0740) - Information Security","isPartOf":{"@id":"https:\/\/www.yorku.ca\/uit\/infosec\/#website"},"datePublished":"2026-04-14T14:23:53+00:00","dateModified":"2026-04-14T14:23:56+00:00","breadcrumb":{"@id":"https:\/\/www.yorku.ca\/uit\/infosec\/2026\/04\/14\/ninja-forms-wordpress-plugin-vulnerability-cve-2026-0740\/#breadcrumb"},"inLanguage":"en-CA","potentialAction":[{"@type":"ReadAction","target":["https:\/\/www.yorku.ca\/uit\/infosec\/2026\/04\/14\/ninja-forms-wordpress-plugin-vulnerability-cve-2026-0740\/"]}]},{"@type":"BreadcrumbList","@id":"https:\/\/www.yorku.ca\/uit\/infosec\/2026\/04\/14\/ninja-forms-wordpress-plugin-vulnerability-cve-2026-0740\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/www.yorku.ca\/uit\/infosec\/"},{"@type":"ListItem","position":2,"name":"Ninja Forms WordPress Plugin Vulnerability (CVE-2026-0740)"}]},{"@type":"WebSite","@id":"https:\/\/www.yorku.ca\/uit\/infosec\/#website","url":"https:\/\/www.yorku.ca\/uit\/infosec\/","name":"Information Security","description":"","publisher":{"@id":"https:\/\/www.yorku.ca\/uit\/infosec\/#organization"},"potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/www.yorku.ca\/uit\/infosec\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-CA"},{"@type":"Organization","@id":"https:\/\/www.yorku.ca\/uit\/infosec\/#organization","name":"Information Security","url":"https:\/\/www.yorku.ca\/uit\/infosec\/","logo":{"@type":"ImageObject","inLanguage":"en-CA","@id":"https:\/\/www.yorku.ca\/uit\/infosec\/#\/schema\/logo\/image\/","url":"https:\/\/www.yorku.ca\/uit\/infosec\/wp-content\/uploads\/sites\/806\/2025\/05\/Image-4.png","contentUrl":"https:\/\/www.yorku.ca\/uit\/infosec\/wp-content\/uploads\/sites\/806\/2025\/05\/Image-4.png","width":1024,"height":1024,"caption":"Information Security"},"image":{"@id":"https:\/\/www.yorku.ca\/uit\/infosec\/#\/schema\/logo\/image\/"}},{"@type":"Person","@id":"https:\/\/www.yorku.ca\/uit\/infosec\/#\/schema\/person\/206ba07b2fdc716dbfb162fe95aa60ee","name":"kasingh","image":{"@type":"ImageObject","inLanguage":"en-CA","@id":"https:\/\/secure.gravatar.com\/avatar\/c8a14e9f369169760b25636109e5d366baf391d45d3aa148137036b64cc6bb48?s=96&d=mm&r=g","url":"https:\/\/secure.gravatar.com\/avatar\/c8a14e9f369169760b25636109e5d366baf391d45d3aa148137036b64cc6bb48?s=96&d=mm&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/c8a14e9f369169760b25636109e5d366baf391d45d3aa148137036b64cc6bb48?s=96&d=mm&r=g","caption":"kasingh"},"url":"https:\/\/www.yorku.ca\/uit\/infosec\/author\/kasingh\/"}]}},"taxonomy_info":{"category":[{"value":31,"label":"Vulnerabilities"}]},"featured_image_src_large":false,"author_info":{"display_name":"kasingh","author_link":"https:\/\/www.yorku.ca\/uit\/infosec\/author\/kasingh\/"},"comment_info":0,"category_info":[{"term_id":31,"name":"Vulnerabilities","slug":"vulnerabilities","term_group":0,"term_taxonomy_id":31,"taxonomy":"category","description":"","parent":0,"count":15,"filter":"raw","cat_ID":31,"category_count":15,"category_description":"","cat_name":"Vulnerabilities","category_nicename":"vulnerabilities","category_parent":0}],"tag_info":false,"_links":{"self":[{"href":"https:\/\/www.yorku.ca\/uit\/infosec\/wp-json\/wp\/v2\/posts\/2668","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.yorku.ca\/uit\/infosec\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.yorku.ca\/uit\/infosec\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.yorku.ca\/uit\/infosec\/wp-json\/wp\/v2\/users\/2694"}],"replies":[{"embeddable":true,"href":"https:\/\/www.yorku.ca\/uit\/infosec\/wp-json\/wp\/v2\/comments?post=2668"}],"version-history":[{"count":1,"href":"https:\/\/www.yorku.ca\/uit\/infosec\/wp-json\/wp\/v2\/posts\/2668\/revisions"}],"predecessor-version":[{"id":2669,"href":"https:\/\/www.yorku.ca\/uit\/infosec\/wp-json\/wp\/v2\/posts\/2668\/revisions\/2669"}],"wp:attachment":[{"href":"https:\/\/www.yorku.ca\/uit\/infosec\/wp-json\/wp\/v2\/media?parent=2668"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.yorku.ca\/uit\/infosec\/wp-json\/wp\/v2\/categories?post=2668"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.yorku.ca\/uit\/infosec\/wp-json\/wp\/v2\/tags?post=2668"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}