Hackers exploit critical flaw in Ninja Forms WordPress plugin

A critical vulnerability has been disclosed in the Ninja Forms File Uploads premium add-on for WordPress, and it is already being exploited in the wild. The flaw, tracked as CVE-2026-0740, stems from insufficient validation of the destination filename when files are uploaded, which can allow an unauthenticated attacker to place arbitrary files on the server. With this capability, attackers can upload malicious scripts, such as PHP payloads, and even manipulate filenames to enable path traversal.

Ninja Forms is a widely used WordPress form builder that enables users to create forms through a drag-and-drop interface. The File Upload extension, which ships with the Ninja Forms suite, serves a large user base and contributes significantly to the plugin’s appeal. Recent activity indicates that this vulnerability is not merely theoretical; it is actively being targeted by attackers. Security researchers report thousands of probing attempts observed by Wordfence’s sensors in a single day, underscoring the severity and immediacy of the risk.

The exposure is rated extremely high on the vulnerability scale, with a severity score approaching the maximum. The issue affects Ninja Forms File Upload versions up to 3.3.26. The core of the problem is that the destination filename is not checked for proper file type or extension validation before the final move operation. As a result, even files with a safe-sounding extension can slip through, while attackers can craft names that bypass superficial protections. The lack of filename sanitization also opens the door to path traversal, allowing a malicious file to be moved into sensitive locations, including the web root. Once an attacker can place a PHP (or other executable) file in an accessible location, remote code execution becomes possible, with attackers potentially deploying web shells and taking control of the site.

Discovery and the path to patch

The flaw was discovered by security researcher Sélim Lanouar (the handle whattheslime), who submitted the issue to Wordfence’s bug bounty program on January 8. After validating the report, Wordfence notified the vendor on the same day and began providing temporary mitigations through firewall rules to protect sites that used the vulnerable add-on. A staged fix followed, with a partial remediation implemented on February 10. The vendor released a complete, official fix in version 3.3.27, with availability beginning March 19 of the current year.

What this means for Ninja Forms users

Users of the File Upload extension should treat this as an urgent security matter. The fastest path to reducing risk is to upgrade to the patched version (3.3.27 or newer) as soon as possible. Given the volume of exploitation attempts detected daily, delaying an upgrade can leave a site exposed to remote code execution and subsequent compromises. Monitoring for suspicious PHP files appearing in the webroot or other upload directories is also prudent, as is reviewing server access logs for unusual upload activity.

Impact and remediation

If exploited, the vulnerability can enable attackers to upload arbitrary content, execute code on the server, and potentially gain complete control over the WordPress site. This kind of breach can lead to a full site takeover, data exfiltration, or use of the compromised site as a foothold for broader attacks. The immediate remediation is clear: update to the latest Ninja Forms File Upload plugin, ensure the site firewall or security stack is configured to block unauthenticated upload attempts, and conduct a post-incident review of file upload activity across the site.

In the wake of this vulnerability, site owners and administrators should confirm they are running version 3.3.27 or newer of Ninja Forms File Upload, verify that all WordPress components in the Ninja Forms ecosystem are up to date, and consider additional hardening around upload handling, such as restricting allowed file types, employing server-side scanning for uploaded content, and implementing stricter file and path handling rules.

As this vulnerability demonstrates, even widely used plugins with robust feature sets can harbor critical weaknesses if input validation and filename handling are not tightly controlled. Keeping software up to date and maintaining layered security controls remains essential to reducing risk in today’s threat landscape.