Critical Ninja Forms vulnerability allows remote code execution

A critical vulnerability in the Ninja Forms File Uploads premium add-on for WordPress enables unauthenticated arbitrary file uploads, potentially leading to remote code execution. This flaw, identified as CVE-2026-0740, is actively being exploited in attacks, with over 3,600 attempts blocked by Wordfence within 24 hours, Bleeping Computer reports.

The vulnerability, affecting versions up to 3.3.26, has a critical severity rating of 9.8 out of 10. It stems from a lack of validation on file types and extensions for the destination filename. This allows unauthenticated attackers to upload malicious files, including PHP scripts, and use path traversal to place them in critical directories, such as the webroot. Exploitation can lead to the deployment of web shells and complete website takeover. The issue was discovered by security researcher Sélim Lanouar and reported to Wordfence, which then disclosed it to the vendor.

The vendor released a patched version, 3.3.27, on March 19. Given the active exploitation and the widespread use of Ninja Forms, with over 90,000 customers, users are strongly urged to update immediately to prevent potential compromise.

Source: Bleeping Computer