Vulnerabilities

Ninja Forms File Upload Flaw Lets Attackers Hijack 50,000 WordPress Sites

3 Min Read / April 8, 2026

Ninja Forms File Upload Flaw Lets Attackers Hijack 50,000 WordPress Sites

A critical flaw in the Ninja Forms File Upload plugin allows unauthenticated attackers to upload malicious files and execute arbitrary code on WordPress servers. CVE-2026-0740 carries a CVSS score of 9.8 and affects approximately 50,000 active WordPress installations. The vulnerability was being actively exploited before a patch existed.

Security researcher Sélim Lanouar discovered the flaw and reported it through the Wordfence Bug Bounty Program on 8 January 2026, earning a $2,145 bounty. BleepingComputer reports that Wordfence blocked more than 3,600 attacks targeting this vulnerability in a 24-hour period confirming active exploitation in the wild.

Two Patches Were Required to Close the Exposure

The initial patch was insufficient. The Ninja Forms vendor released version 3.3.25 on 10 February 2026 with what CyCognito describes as “a partial fix that addressed some but not all bypass vectors.” A complete fix only arrived with version 3.3.27 on 19 March 2026. Organizations that updated to the February patch and stopped there remain vulnerable to exploitation.

The flaw stems from inadequate file type validation in the plugin’s handle_upload function. According to Wordfence researchers, the plugin validates the source filename but fails to check the destination filename during the file move operation. Attackers can manipulate the destination path to bypass extension restrictions and write PHP webshells directly to the server.

Premium Plugin Updates Lag Behind WordPress.org

The Ninja Forms File Upload extension is sold separately from the core plugin, distributed through the vendor’s own channel rather than the WordPress.org repository. CyCognito warns that “premium extension updates do not always flow through the standard WordPress.org update pipeline.” This distribution method typically results in slower patch adoption compared to free plugins.

Administrators relying on WordPress auto-update mechanisms should verify the installed version manually rather than assuming the fix deployed automatically. The vulnerability affects all versions up to and including 3.3.26, anything below 3.3.27 should be considered compromised.

Check Your Server for Webshells Today

Update to version 3.3.27 immediately. The plugin is distributed through ninjaforms.com not the WordPress.org repository so the update must be downloaded from the vendor.

Before patching, scan your server for malicious uploads. According to multiple security firms, attackers have been uploading webshells with randomised 8-character names to publicly accessible directories. Check your WordPress uploads folder and the ninja-forms/tmp/ directory for unexpected PHP files.

If you cannot patch immediately, disable file upload functionality on forms exposed to the public internet or restrict uploads to authenticated users only. Web application firewall rules blocking PHP and executable file uploads provide partial protection but are not a permanent solution.