Ninja Forms Exploit: Unauthenticated RCE Threatens WordPress Sites

A critical vulnerability, tracked as CVE-2026-0740, is actively being exploited in the Ninja Forms File Uploads premium add-on for WordPress. This flaw allows unauthenticated attackers to upload arbitrary files, including malicious PHP scripts, directly onto a targeted server. The issue stems from a failure to properly validate file types and extensions on the destination filename, enabling attackers to bypass security checks and execute code remotely. Wordfence, a prominent WordPress security firm, reported blocking over 3,600 such attacks in a single 24-hour period, highlighting the immediate danger.

This vulnerability affects Ninja Forms File Upload versions up to 3.3.26 and carries a severe CVSS score of 9.8. The lack of filename sanitization also permits path traversal, allowing uploaded files to be placed in sensitive directories, potentially even the webroot. This opens the door for attackers to not only upload malicious code but also to execute it, compromising the entire WordPress installation. Given that Ninja Forms has over 600,000 downloads and its File Upload extension is used by 90,000 customers, the attack surface is significant.