Find notable cyber news and cases, enriched with sources, timelines, and signals.

Ninja Forms – File Upload Plugin patch release (version 3.3.27)

Security Patch Release
First reported
Last updated
Happening score
H score 43
1 unique sources, 1 articles

Summary

Hide ▲

Ninja Forms – File Upload Plugin received a complete patch in version 3.3.27 after a partial fix on February 10, closing a critical upload flaw that left thousands of WordPress sites at risk. The release matters because the bug allowed unauthenticated file uploads that could lead to remote code execution. Site owners were told to update immediately to the fixed version.

Related Happenings

PhpBB 3.3.17 security update

Security Patch Release
H score34 First: 09.06.2026 17:00 Last: 09.06.2026 17:00 Sources 1

About this happening: **phpBB** released **version 3.3.17** to fix **PTT-2026-004** and **PTT-2026-005**, closing account-takeover flaws affecting forum deployments. The update is the **only complete f...

The vendor security patch release for CVE-2026-8206

Security Patch Release
H score89 First: 03.06.2026 01:12 Last: 03.06.2026 01:12 Sources 1

About this happening: **Kirki - Freeform Page Builder, Website Builder & Customizer** shipped **version 6.0.7** to fix **CVE-2026-8206**, a privilege-escalation flaw that could let attackers take over...

Avada Builder 3.15.3 patch release (CVE-2026-4782, CVE-2026-4798)

Security Patch Release
H score21 First: 15.05.2026 18:56 Last: 15.05.2026 18:56 Sources 1

About this happening: **Avada Builder** shipped **version 3.15.3** as the full fix for **CVE-2026-4782** and **CVE-2026-4798**, closing the plugin flaws that could expose files and database data. A pri...

WordPress.org closes compromised EssentialPlugin plugins with forced update

Security Tool/Service
H score16 First: 15.04.2026 23:33 Last: 15.04.2026 23:33 Sources 1

About this happening: **WordPress.org** closed the compromised **EssentialPlugin** plugins and forced an update, changing how affected sites received and ran the package. The move mattered because the...

Elementor Ally 4.1.0 security patch release (CVE-2026-2313)

Security Patch Release
H score59 First: 11.03.2026 21:38 Last: 11.03.2026 21:38 Sources 1

About this happening: **Elementor** released **Ally 4.1.0** to fix **CVE-2026-2313**, a **SQL injection** flaw in the WordPress accessibility plugin that could expose **sensitive data**. The update lan...

Timeline

  1. 08.04.2026 18:10 1 articles · 3mo ago

    Ninja Forms developer issues partial fix for file upload flaw

    Mitigation Patch Update

    The Ninja Forms – File Upload Plugin developer issued a partial fix on February 10, 2026 for the arbitrary file upload flaw affecting plugin versions up to 3.3.26. The vulnerability had enabled unauthenticated attackers to upload malicious files, including .php payloads, and potentially reach remote code execution on WordPress sites.

    Show sources
  2. 08.04.2026 18:10 2 articles · 3mo ago

    Ninja Forms releases version 3.3.27 with complete patch

    Mitigation Patch Update

    The Ninja Forms – File Upload Plugin developer released version 3.3.27 on March 19, 2026 with a complete patch for the arbitrary file upload vulnerability and advised users to update immediately. The fix closed the path that had allowed unauthenticated file uploads and potential remote code execution on affected WordPress sites.

    Show sources
  3. 08.01.2026 02:00 1 articles · 6mo ago

    Sélim Lanouar reports critical Ninja Forms file upload flaw

    Initial Disclosure

    Sélim Lanouar, known as whattheslime, reported a critical arbitrary file upload vulnerability in Ninja Forms – File Upload Plugin through the Wordfence Bug Bounty Program, and Wordfence validated the report and confirmed a proof-of-concept exploit. The flaw affected plugin versions up to 3.3.26 on WordPress sites and could allow unauthenticated attackers to upload malicious files for remote code execution.

    Show sources