1. Summary
2. Vulnerability details
3. Impact versions
4. Recommendations
5. Mitigations
6. References
7. Support

A critical unauthenticated Remote Code Execution (RCE) vulnerability has been identified in the Ninja Forms – File Uploads extension for WordPress (CVE-2026-0740). The flaw stems from a lack of file type validation in the plugin’s AJAX upload handler, allowing any unauthenticated attacker to upload arbitrary files — including PHP web shells — directly to the web server. Successful exploitation can result in full server compromise. All plugin versions up to and including 3.3.26 are affected. A complete fix is available in version 3.3.27, released March 19, 2026. Immediate upgrading is strongly recommended.

CVE: CVE-2026-0740
CVSS v3.1 Score: 9.8 (Critical) — CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CWE: CWE-434 – Unrestricted Upload of File with Dangerous Type
Disclosed: April 6–7, 2026 (Wordfence / NVD)

Exploit status: Public proof-of-concept exploits available on GitHub; no confirmed widespread exploitation in the wild at time of publication.

The vulnerability resides in the NF_FU_AJAX_Controllers_Uploads::handle_upload function. The plugin validates the file type of the source filename, but fails to validate the destination filename during the file move operation. An attacker can manipulate the destination path to bypass the extension allowlist, writing a malicious PHP file (e.g., a web shell) to the server without any authentication.
Because the AJAX endpoint is publicly accessible with no authentication or capability check, exploitation requires only network access to a vulnerable WordPress installation. Once a web shell is uploaded, the attacker gains arbitrary command execution within the web server process.

Impact includes:

• Remote code execution on the underlying web server
• Full server compromise and data exfiltration
• Lateral movement or deeper pivoting into the hosting environment
• Potential compromise of all WordPress database credentials and site content

All versions of the Ninja Forms – File Uploads plugin before 3.3.27 are at least partially vulnerable.

• Update immediately: Upgrade the Ninja Forms – File Uploads plugin to version 3.3.27 or better. Verify the update has applied, as premium extensions may not auto-update through WordPress.org.
• Verify installed version: In the WordPress admin dashboard, navigate to Plugins and confirm the Ninja Forms – File Uploads version is 3.3.27 or later.
  Note: Premium plugin updates for Ninja Forms do not always flow through the standard WordPress.org update pipeline. Administrators should manually verify the installed version and apply the update through the vendor channel at ninjaforms.com if auto-updates have not applied version 3.3.27.
• Audit uploaded files: Review the WordPress uploads directory for unexpected or suspicious files (e.g., .php files in wp-content/uploads/ or plugin upload staging directories).
• Check for indicators of compromise: Search web server access logs for POST requests to admin-ajax.php with action parameters related to Ninja Forms file uploads.
• Review web server configuration: Ensure PHP execution is disabled in the WordPress uploads directory (wp-content/uploads/) as a defence-in-depth measure.

If immediate patching is not feasible, consider the following temporary mitigations.

Add the following to the .htaccess file in wp-content/uploads/ (Apache) to block direct execution of uploaded PHP files:

< FilesMatch "\.php$" >
  deny from all
</ FilesMatch >

If file upload functionality is not critical to operations, deactivate the Ninja Forms – File Uploads extension from the WordPress admin dashboard (Plugins → Installed Plugins) until the update can be applied.

Wordfence’s firewall rules for CVE-2026-0740 are available to Premium users. Free users receive the rule after a 30-day delay, which should now be in place. If your unit uses another WAF solution, consult your vendor for available signatures that cover CWE-434: unauthenticated file upload via WordPress AJAX endpoints.

1. [Wordfence] Ninja Forms – File Upload <= 3.3.26 – Unauthenticated Arbitrary File Upload
2. [Wordfence] 50,000 WordPress Sites affected by Arbitrary File Upload Vulnerability in Ninja Forms – File Upload WordPress Plugin
3. [NIST] NVD – CVE-2026-0740
4. [CyCognito] Emerging Threat: (CVE-2026-0740) Ninja Forms File Upload Unauthenticated RCE

As always, please let us know if you have any questions or concerns or see unusual activity on your systems that you believe might be associated with this or any other vulnerability. Please send these communications to security.response@utoronto.ca.