Hackers are exploiting a critical vulnerability in the Ninja Forms File Uploads premium add-on for WordPress that can let unauthenticated attackers upload arbitrary files and potentially achieve remote code execution, according to a technical analysis by Wordfence. Wordfence said its firewall blocked more than 3,600 attacks in the past 24 hours.
KEY FACTS
- CVE CVE-2026-0740 has a critical severity score of 9.8 out of 10.
- Affected versions Ninja Forms File Upload versions up to 3.3.26 are affected.
- Impact Attackers can upload PHP files and use path traversal to place them in a webroot directory.
- Fix The vendor released version 3.3.27 on March 19.
Ninja Forms is a WordPress form builder with more than 600,000 downloads. Its File Upload extension serves about 90,000 customers.
Wordfence researchers said the flaw comes from missing validation of file types and extensions on the destination filename before a move operation. They said the weakness also allows filename manipulation that can support path traversal.
The disclosure said the vulnerability was reported by security researcher Sélim Lanouar on January 8. Wordfence then shared the details with the vendor the same day and applied temporary firewall mitigations for its customers.
After a partial fix on February 10, the vendor released a complete fix in version 3.3.27. The report said exploitation can lead to web shells and full site takeover, and users of the add-on are advised to upgrade.
WHY IT MATTERS
Sites that have not updated the add-on could face unauthorized file uploads and possible remote code execution. With active attacks already under way, the issue creates a risk of site compromise for WordPress administrators who use the plugin.