50,000 WordPress Sites Exposed to Critical Ninja Forms File Upload RCE Vulnerability

A critical security flaw in the popular WordPress plugin “Ninja Forms – File Upload” has left approximately 50,000 websites vulnerable to complete takeover.

Tracked as CVE-2026-0740, this flaw boasts a maximum CVSS severity score of 9.8, making it a severe threat that requires immediate attention from website administrators.​

Discovered by security researcher Sélim Lanouar, who earned a $2,145 bug bounty for the find, the vulnerability is classified as an Unauthenticated Arbitrary File Upload.

In simple terms, this means that anyone on the internet can upload malicious files to a target website without needing an account, username, or password.

If successfully exploited, an attacker can achieve Remote Code Execution (RCE), granting them total control over the underlying web server.​

50,000 WordPress Sites Exposed

The Ninja Forms File Upload addon is designed to manage user file submissions via the specific PHP function  handle_upload().

When processing these files, this function calls the _process() method to move the temporary uploaded files to their final destination folder on the server.

While the plugin attempts to verify the original uploaded file’s file type, a critical oversight occurs just before the file is saved.

The code fails to validate the destination filename’s file extension during the move_uploaded_file() operation. Furthermore, the plugin lacks proper filename sanitization.

This dangerous combination allows a clever attacker to manipulate the file path, a technique known as path traversal.

By doing so, they can bypass the intended restrictions and upload highly dangerous .php files directly into the website’s root directory, completely bypassing the normal safety checks.

Once a malicious PHP script, often called a webshell, is successfully uploaded and executed, the consequences are disastrous.

The attacker gains the ability to execute terminal commands directly on the web server, leading to a complete site compromise.

 From there, threat actors can steal sensitive database information, inject malware into legitimate pages, redirect visitors to malicious spam sites, or use the compromised server to launch further cyberattacks against other targets.​

The vulnerability impacts all versions of the Ninja Forms File Upload plugin up to and including version 3.3.26.

Wordfence initially received the bug report and quickly rolled out firewall protections for premium users on January 8, 2026, and extended those protections to free users by February 7.

The plugin developers worked to resolve the issue, releasing a partial fix in version 3.3.25 and a final, complete patch in version 3.3.27 on March 19, 2026.​

If you manage a WordPress website using this specific Ninja Forms addon, it is crucial to update the plugin to version 3.3.27 or higher immediately.

Because this critical flaw requires no authentication and is straightforward for attackers to exploit, unpatched sites remain easy targets for automated web-scanning scripts.

Follow us on Google News, LinkedIn, and X for daily cybersecurity updates. Contact us to feature your stories.