Critical Unauthenticated File‑Upload RCE Vulnerability (CVE‑2026‑0740) in Ninja Forms WordPress Plugin Exploited in the Wild
What Happened — A critical flaw (CVE‑2026‑0740) in the Ninja Forms File Uploads premium add‑on allowed unauthenticated attackers to upload arbitrary files, including PHP scripts, and perform path‑traversal to the web‑root. The vulnerability enables remote code execution and has been observed in active exploitation campaigns, with Wordfence blocking >3,600 attempts in a single day.
Why It Matters for TPRM —
- The plugin is bundled with over 600 k WordPress installations, exposing a large third‑party attack surface.
- Successful exploitation can lead to full site takeover, data theft, and the deployment of web‑shells that compromise downstream services.
- Ongoing exploitation indicates that existing perimeter controls (e.g., firewalls) may be insufficient without patching.
Who Is Affected — SaaS platforms, digital agencies, e‑commerce sites, and any organization that embeds Ninja Forms File Uploads in its WordPress environment (across all verticals).
Recommended Actions —
- Verify whether any of your managed WordPress sites run Ninja Forms File Uploads ≤ 3.3.26.
- Immediately upgrade to version 3.3.27 or later.
- Apply temporary WAF rules (e.g., block PHP uploads to the plugin directory) while patching.
- Review file‑upload controls and logging to detect any post‑exploitation activity.
Technical Notes — Attack vector: unauthenticated arbitrary file upload → remote code execution. CVE‑2026‑0740, CVSS 9.8 (Critical). Affected component: Ninja Forms File Uploads ≤ 3.3.26. Exploited data types: PHP web‑shells, malicious scripts. Source: BleepingComputer