Ninja Forms – File Upload Plugin patch release (version 3.3.27)
Security Patch Release
Summary
Hide ▲
Show ▼
Ninja Forms – File Upload Plugin received a complete patch in version 3.3.27 after a partial fix on February 10, closing a critical upload flaw that left thousands of WordPress sites at risk. The release matters because the bug allowed unauthenticated file uploads that could lead to remote code execution. Site owners were told to update immediately to the fixed version.
Related Happenings
PhpBB 3.3.17 security update
Security Patch Release
H score34
First: 09.06.2026 17:00
Last: 09.06.2026 17:00
Sources 1
About this happening:
**phpBB** released **version 3.3.17** to fix **PTT-2026-004** and **PTT-2026-005**, closing account-takeover flaws affecting forum deployments. The update is the **only complete f...
PhpBB 3.3.17 security update
Security Patch ReleaseAbout this happening: **phpBB** released **version 3.3.17** to fix **PTT-2026-004** and **PTT-2026-005**, closing account-takeover flaws affecting forum deployments. The update is the **only complete f...
The vendor security patch release for CVE-2026-8206
Security Patch Release
H score89
First: 03.06.2026 01:12
Last: 03.06.2026 01:12
Sources 1
About this happening:
**Kirki - Freeform Page Builder, Website Builder & Customizer** shipped **version 6.0.7** to fix **CVE-2026-8206**, a privilege-escalation flaw that could let attackers take over...
The vendor security patch release for CVE-2026-8206
Security Patch ReleaseAbout this happening: **Kirki - Freeform Page Builder, Website Builder & Customizer** shipped **version 6.0.7** to fix **CVE-2026-8206**, a privilege-escalation flaw that could let attackers take over...
Avada Builder 3.15.3 patch release (CVE-2026-4782, CVE-2026-4798)
Security Patch Release
H score21
First: 15.05.2026 18:56
Last: 15.05.2026 18:56
Sources 1
About this happening:
**Avada Builder** shipped **version 3.15.3** as the full fix for **CVE-2026-4782** and **CVE-2026-4798**, closing the plugin flaws that could expose files and database data. A pri...
Avada Builder 3.15.3 patch release (CVE-2026-4782, CVE-2026-4798)
Security Patch ReleaseAbout this happening: **Avada Builder** shipped **version 3.15.3** as the full fix for **CVE-2026-4782** and **CVE-2026-4798**, closing the plugin flaws that could expose files and database data. A pri...
WordPress.org closes compromised EssentialPlugin plugins with forced update
Security Tool/Service
H score16
First: 15.04.2026 23:33
Last: 15.04.2026 23:33
Sources 1
About this happening:
**WordPress.org** closed the compromised **EssentialPlugin** plugins and forced an update, changing how affected sites received and ran the package. The move mattered because the...
WordPress.org closes compromised EssentialPlugin plugins with forced update
Security Tool/ServiceAbout this happening: **WordPress.org** closed the compromised **EssentialPlugin** plugins and forced an update, changing how affected sites received and ran the package. The move mattered because the...
Elementor Ally 4.1.0 security patch release (CVE-2026-2313)
Security Patch Release
H score59
First: 11.03.2026 21:38
Last: 11.03.2026 21:38
Sources 1
About this happening:
**Elementor** released **Ally 4.1.0** to fix **CVE-2026-2313**, a **SQL injection** flaw in the WordPress accessibility plugin that could expose **sensitive data**. The update lan...
Elementor Ally 4.1.0 security patch release (CVE-2026-2313)
Security Patch ReleaseAbout this happening: **Elementor** released **Ally 4.1.0** to fix **CVE-2026-2313**, a **SQL injection** flaw in the WordPress accessibility plugin that could expose **sensitive data**. The update lan...
Timeline
-
08.04.2026 18:10 1 articles · 3mo ago
Ninja Forms developer issues partial fix for file upload flaw
Mitigation Patch UpdateThe Ninja Forms – File Upload Plugin developer issued a partial fix on February 10, 2026 for the arbitrary file upload flaw affecting plugin versions up to 3.3.26. The vulnerability had enabled unauthenticated attackers to upload malicious files, including .php payloads, and potentially reach remote code execution on WordPress sites.
Show sources
- Critical Vulnerability in Ninja Forms Exposes WordPress Sites — www.infosecurity-magazine.com — 08.04.2026 18:10
-
08.04.2026 18:10 2 articles · 3mo ago
Ninja Forms releases version 3.3.27 with complete patch
Mitigation Patch UpdateThe Ninja Forms – File Upload Plugin developer released version 3.3.27 on March 19, 2026 with a complete patch for the arbitrary file upload vulnerability and advised users to update immediately. The fix closed the path that had allowed unauthenticated file uploads and potential remote code execution on affected WordPress sites.
Show sources
- Critical Vulnerability in Ninja Forms Exposes WordPress Sites — www.infosecurity-magazine.com — 08.04.2026 18:10
- Critical Vulnerability in Ninja Forms Exposes WordPress Sites — www.infosecurity-magazine.com — 08.04.2026 18:10
-
08.01.2026 02:00 1 articles · 6mo ago
Sélim Lanouar reports critical Ninja Forms file upload flaw
Initial DisclosureSélim Lanouar, known as whattheslime, reported a critical arbitrary file upload vulnerability in Ninja Forms – File Upload Plugin through the Wordfence Bug Bounty Program, and Wordfence validated the report and confirmed a proof-of-concept exploit. The flaw affected plugin versions up to 3.3.26 on WordPress sites and could allow unauthenticated attackers to upload malicious files for remote code execution.
Show sources
- Critical Vulnerability in Ninja Forms Exposes WordPress Sites — www.infosecurity-magazine.com — 08.04.2026 18:10