A severe vulnerability tracked as CVE-2026-0740 in the Ninja Forms File Uploads premium add-on for WordPress is being actively exploited, allowing attackers to upload arbitrary files without authentication. The flaw affects versions up to 3.3.26 of the popular plugin, which serves approximately 90,000 customers, and carries a critical severity rating of 9.8 out of 10. Wordfence reports blocking over 3,600 attacks in a single 24-hour period, highlighting active exploitation in the wild.
The vulnerability stems from insufficient validation of file types and extensions on destination filenames, enabling unauthenticated attackers to upload PHP scripts. Path traversal manipulation further allows malicious files to be moved directly to the webroot directory, leading to remote code execution. Potential consequences include web shell deployment and complete website takeover.
Security researcher Sélim Lanouar discovered the issue and submitted it to Wordfence's bug bounty program on January 8. The vendor released a complete fix in version 3.3.27 on March 19 after an initial partial patch on February 10. Users of Ninja Forms File Upload are strongly urged to upgrade immediately to the latest version to protect against ongoing exploitation attempts.
Read more...