Arbitrary file upload vulnerability in Ninja Forms plugin leads to unauthenticated remote code execution in WordPress
Summary
Hide ▲
Show ▼
A critical arbitrary file upload vulnerability in the Ninja Forms – File Uploads plugin (versions ≤3.3.26) for WordPress enables unauthenticated attackers to upload malicious files, leading to remote code execution (RCE). The flaw, discovered by researcher Sélim Lanouar, carries a CVSS score of 9.8 and stems from insufficient file validation in the plugin’s upload handling function. Attackers can bypass restrictions to upload PHP files, manipulate filenames, use path traversal, and execute malicious code, potentially gaining full control of affected websites.
Timeline
-
08.04.2026 18:10 1 articles · 13h ago
Ninja Forms plugin vulnerability patched after unauthenticated RCE risk disclosed
Wordfence confirmed and validated a critical arbitrary file upload vulnerability in Ninja Forms – File Uploads plugin (≤3.3.26) on January 8, 2026. The flaw allowed unauthenticated attackers to upload arbitrary files, including PHP scripts, due to insufficient validation in the plugin’s upload handling function, enabling remote code execution. A partial fix was released on February 10, 2026, followed by a complete patch in version 3.3.27 on March 19, 2026.
Show sources
- Critical Vulnerability in Ninja Forms Exposes WordPress Sites — www.infosecurity-magazine.com — 08.04.2026 18:10
Information Snippets
-
The vulnerability affects Ninja Forms – File Uploads plugin versions up to 3.3.26 on WordPress.
First reported: 08.04.2026 18:101 source, 1 articleShow sources
- Critical Vulnerability in Ninja Forms Exposes WordPress Sites — www.infosecurity-magazine.com — 08.04.2026 18:10
-
The flaw allows unauthenticated attackers to upload arbitrary files, including malicious PHP files, due to insufficient validation in the upload handling function.
First reported: 08.04.2026 18:101 source, 1 articleShow sources
- Critical Vulnerability in Ninja Forms Exposes WordPress Sites — www.infosecurity-magazine.com — 08.04.2026 18:10
-
The vulnerability carries a CVSS score of 9.8, indicating critical severity.
First reported: 08.04.2026 18:101 source, 1 articleShow sources
- Critical Vulnerability in Ninja Forms Exposes WordPress Sites — www.infosecurity-magazine.com — 08.04.2026 18:10
-
Attackers can manipulate file extensions, filenames, and use path traversal to place files in sensitive directories, enabling remote code execution.
First reported: 08.04.2026 18:101 source, 1 articleShow sources
- Critical Vulnerability in Ninja Forms Exposes WordPress Sites — www.infosecurity-magazine.com — 08.04.2026 18:10
-
The flaw was discovered by security researcher Sélim Lanouar (whattheslime) and reported through the Wordfence Bug Bounty Program, earning a $2,145 reward.
First reported: 08.04.2026 18:101 source, 1 articleShow sources
- Critical Vulnerability in Ninja Forms Exposes WordPress Sites — www.infosecurity-magazine.com — 08.04.2026 18:10
-
Wordfence validated the report and confirmed a proof-of-concept exploit on January 8, 2026.
First reported: 08.04.2026 18:101 source, 1 articleShow sources
- Critical Vulnerability in Ninja Forms Exposes WordPress Sites — www.infosecurity-magazine.com — 08.04.2026 18:10
-
The plugin developer issued a partial fix on February 10, 2026, followed by a complete patch in version 3.3.27 on March 19, 2026.
First reported: 08.04.2026 18:101 source, 1 articleShow sources
- Critical Vulnerability in Ninja Forms Exposes WordPress Sites — www.infosecurity-magazine.com — 08.04.2026 18:10