Security alert: Critical RCE vulnerability (CVE-2026-0740) found in Ninja Forms file upload

A critical security vulnerability identified as CVE-2026-0740 has been discovered in the Ninja Forms - File Uploads extension for WordPress. This flaw allows attackers to upload malicious files to a vulnerable website without authentication, potentially leading to remote code execution (RCE).

With a CVSS v3.1 score of 9.8 (Critical), this vulnerability represents a serious risk for affected websites, especially those exposing file upload functionality to the public internet. Get started now!

What is CVE-2026-0740?Link to heading

CVE-2026-0740 is an unauthenticated arbitrary file upload vulnerability in the Ninja Forms - File Uploads extension for WordPress. The problem exists in the file handling logic inside the NF_FU_AJAX_Controllers_Uploads::handle_upload function.

The root cause is a missing file type validation on the destination filename during the file move operation. While the plugin checks the file type of the source filename, it does not properly validate the destination filename. This gap creates an opportunity for an attacker to bypass the intended extension allowlist by manipulating the destination path.

As a result, a malicious file such as a PHP web shell can be written to the server. Once that happens, the attacker may be able to execute arbitrary commands remotely.

>>> Learn more: CVE-2025-55182: Maximum-severity RCE flaw discovered in react server components

Why is this vulnerability so dangerous?Link to heading

This vulnerability is particularly dangerous because it requires no authentication, meaning an attacker does not need to log in to exploit it. The attack can be carried out remotely over the internet, making it accessible to a wide range of threat actors. More importantly, it can result in remote code execution, one of the most critical risks in web application security. 

If successfully exploited, an attacker could execute arbitrary commands on the server, steal sensitive data from the website or connected systems, upload additional malware, establish backdoors for persistent access, and even move deeper into the hosting environment. Since no user interaction is required, this type of exploit can also be automated, allowing attackers to target large numbers of vulnerable WordPress sites at scale.

>>> Learn more: Over 40,000 WordPress websites face serious security risks due to the CVE-2026-23550 vulnerability in Modular DS

Which versions are affected?Link to heading

All versions of the Ninja Forms - File Uploads extension up to and including 3.3.26 are affected by this vulnerability. The issue was only partially addressed in version 3.3.25, meaning that some exploitation paths were reduced but not fully eliminated. It was not until version 3.3.27 that the vulnerability was completely fixed. This fully remediated version was released on March 19, 2026. 

Therefore, any websites still running version 3.3.25 or 3.3.26 should be considered vulnerable and are strongly advised to upgrade to version 3.3.27 as soon as possible.

Which websites are most at risk?Link to heading

Any WordPress website that uses the File Uploads extension and exposes upload forms to the public internet may be at risk. This includes a wide range of common implementations such as contact forms, lead generation forms, career application portals, donation forms, and customer document upload systems.

With approximately 50,000 active WordPress installations using this plugin, the potential exposure is significant across the ecosystem.

The risk becomes even higher in environments where outdated plugin versions are still in use, automatic updates are disabled, or plugin changelogs are not regularly reviewed. Websites hosted on shared or managed hosting environments, as well as those that allow public file uploads without requiring user authentication, are particularly vulnerable.

In addition, premium WordPress plugins like this one are often not distributed through the standard WordPress.org update system. As a result, updates may be applied more slowly compared to free plugins, increasing the time window in which attackers can exploit known vulnerabilities.

How the attack worksLink to heading

The flaw exists because the plugin checks the file type of the uploaded file’s source name, but fails to properly validate the destination filename during the move process. An attacker can take advantage of this mismatch by manipulating the destination path in a way that bypasses the extension allowlist. For example, they may attempt to upload a file that appears harmless at first but is ultimately saved with an executable extension such as .php.

If the server allows execution in the upload directory, the attacker may then request the uploaded file through a browser and trigger server-side code execution. This is why file upload vulnerabilities are often so dangerous: once an executable file lands in a writable web-accessible directory, the security boundary is often broken.

What could happen after exploitation?Link to heading

If this vulnerability is successfully exploited, an attacker may gain the ability to execute arbitrary commands on the web server, effectively giving them deep control over the system. From that point, the impact can be severe and wide-ranging. The attacker could deface the website, steal sensitive data, compromise user or admin accounts, install malware, inject spam content for search engines, or move laterally into other connected internal systems.

In some cases, this may even lead to a full takeover of the server. In shared hosting environments, the risk can extend beyond a single website. Depending on how well the hosting provider isolates accounts, other websites or services running on the same infrastructure may also be affected, increasing the overall blast radius of the attack.

What could happen after exploitation?Link to heading

If this vulnerability is successfully exploited, an attacker may gain the ability to execute arbitrary commands on the web server, effectively giving them deep control over the system. From that point, the impact can be severe and wide-ranging. The attacker could deface the website, steal sensitive data, compromise user or admin accounts, install malware, inject spam content for search engines, or move laterally into other connected internal systems. 

In some cases, this may even lead to a full takeover of the server. In shared hosting environments, the risk can extend beyond a single website. Depending on how well the hosting provider isolates accounts, other websites or services running on the same infrastructure may also be affected, increasing the overall blast radius of the attack.

Is there a fix?Link to heading

Yes, a full patch is available in Ninja Forms - File Uploads version 3.3.27, which completely resolves CVE-2026-0740. This fixed version was officially released on March 19, 2026. Earlier versions, including 3.3.25, only addressed part of the issue and therefore should not be considered secure, while 3.3.26 remains vulnerable as well.

For this reason, administrators are strongly advised to upgrade directly to version 3.3.27 without relying on intermediate releases.

Since this is a premium extension, updates are delivered through the vendor’s official distribution channel at ninjaforms.com. Website owners should not assume that the patch has been applied automatically, particularly in cases where premium plugins are managed through separate or third-party update mechanisms. Manual verification of the installed version is recommended to ensure the fix has been properly deployed.

What should administrators do now?Link to heading

Administrators should take immediate action to reduce the risk from this vulnerability. The recommended steps are:

• Update to version 3.3.27: Ensure the Ninja Forms - File Uploads extension is upgraded to the fully patched version.
• Verify the installed version in WordPress: Do not rely on auto-updates or assumptions; check the version directly in the WordPress dashboard.
• Temporarily disable file uploads if necessary: If uploads are not critical for current operations, disable the feature until the patch is confirmed.
• Restrict uploads to authenticated users: Limit file upload functionality to logged-in users whenever possible to reduce exposure.
• Block execution in upload directories: Configure the server to prevent execution of files stored in upload folders, even if malicious files are uploaded.
• Audit existing uploaded files: Review recent uploads for suspicious or unexpected files, such as PHP scripts or web shells, that may have been added before patching. 
• Enable Web Application Firewall (WAF) protection: Use a WAF to help block malicious requests, including attempts to upload executable files like PHP scripts.

W7SFW is a WordPress firewall designed to protect websites from modern threats such as brute-force attacks, malicious requests, bot traffic, and vulnerability exploitation attempts.

Unlike traditional security plugins that react after traffic hits WordPress, W7SFW applies a proactive defense model, filtering and blocking harmful requests at the earliest possible stage. This significantly reduces server load while improving overall website stability and security.

>>> Activate W7SFW today to strengthen your website’s first line of defense.

Note: Even after applying the update, administrators should not rely solely on the plugin patch as the only line of defense. Proper server hardening is still essential to ensure that uploaded files cannot be executed at the server level. 

This is important because new vulnerabilities may be discovered in file upload handling in the future, attackers may have already placed malicious files on the system before the patch was applied, and other parts of the server environment could still remain exposed. For these reasons, a layered security approach is always more effective and reliable than depending on a single fix.

ConclusionLink to heading

In summary, CVE-2026-0740 is a critical security vulnerability in Ninja Forms - File Uploads that can allow attackers to take control of a server through unauthenticated file upload attacks. With a CVSS score of 9.8, this issue represents a high-priority risk that must be addressed immediately for any WordPress websites using this plugin.

Upgrading to version 3.3.27 is a mandatory step; however, it is only one part of a comprehensive security strategy. Administrators should also implement additional security measures to ensure maximum protection.