Unauthenticated remote code execution vulnerability in Ninja Forms File Uploads plugin exploited in the wild
Summary
Hide ▲
Show ▼
A critical vulnerability in the Ninja Forms File Uploads premium WordPress add-on (CVE-2026-0740) is being actively exploited to achieve unauthenticated remote code execution. The flaw allows attackers to upload arbitrary files, including malicious PHP scripts, by bypassing file type validation and abusing path traversal due to lack of sanitization. With over 90,000 active installations and severe technical implications, exploitation can lead to full server compromise, web shell deployment, and site takeover. The issue affects Ninja Forms File Upload versions up to 3.3.26 and carries a CVSS score of 9.8, reflecting its high severity and immediate exploitability.
Timeline
-
08.04.2026 01:03 1 articles · 3h ago
Critical Ninja Forms File Uploads vulnerability (CVE-2026-0740) exploited for unauthenticated RCE
Exploitation of CVE-2026-0740 in Ninja Forms File Uploads versions up to 3.3.26 has been detected in the wild. The flaw allows unauthenticated file uploads with arbitrary extensions and path traversal via unsanitized filenames, leading to remote code execution on affected WordPress servers. Wordfence reports over 3,600 blocked attempts in 24 hours. A patched version (3.3.27) was released on March 19, 2026, following coordinated disclosure and temporary mitigations.
Show sources
- Hackers exploit critical flaw in Ninja Forms WordPress plugin — www.bleepingcomputer.com — 08.04.2026 01:03
Information Snippets
-
CVE-2026-0740 affects Ninja Forms File Upload versions up to 3.3.26 with a CVSS score of 9.8.
First reported: 08.04.2026 01:031 source, 1 articleShow sources
- Hackers exploit critical flaw in Ninja Forms WordPress plugin — www.bleepingcomputer.com — 08.04.2026 01:03
-
The vulnerability enables unauthenticated attackers to upload arbitrary files, including PHP scripts, and manipulate filenames to perform path traversal due to missing file type validation and sanitization.
First reported: 08.04.2026 01:031 source, 1 articleShow sources
- Hackers exploit critical flaw in Ninja Forms WordPress plugin — www.bleepingcomputer.com — 08.04.2026 01:03
-
Exploitation allows remote code execution on the server hosting the vulnerable WordPress installation, potentially leading to web shell deployment and full site takeover.
First reported: 08.04.2026 01:031 source, 1 articleShow sources
- Hackers exploit critical flaw in Ninja Forms WordPress plugin — www.bleepingcomputer.com — 08.04.2026 01:03
-
Wordfence’s firewall blocked over 3,600 exploitation attempts against CVE-2026-0740 in the past 24 hours.
First reported: 08.04.2026 01:031 source, 1 articleShow sources
- Hackers exploit critical flaw in Ninja Forms WordPress plugin — www.bleepingcomputer.com — 08.04.2026 01:03
-
The vulnerability was reported to Wordfence via its bug bounty program by researcher Sélim Lanouar on January 8, 2026, and was disclosed to the vendor the same day.
First reported: 08.04.2026 01:031 source, 1 articleShow sources
- Hackers exploit critical flaw in Ninja Forms WordPress plugin — www.bleepingcomputer.com — 08.04.2026 01:03
-
A complete patch was released in Ninja Forms File Upload version 3.3.27 on March 19, 2026, following initial mitigations and partial fixes deployed on February 10, 2026.
First reported: 08.04.2026 01:031 source, 1 articleShow sources
- Hackers exploit critical flaw in Ninja Forms WordPress plugin — www.bleepingcomputer.com — 08.04.2026 01:03