A critical unauthenticated file upload vulnerability in the Ninja Forms File Uploads premium add-on (CVE-2026-0740) allows attackers to upload arbitrary files, including PHP, enabling remote code execution and full site takeover. Wordfence reports active exploitation with thousands of blocked attacks and urges users to upgrade to patched version 3.3.27 following disclosure by researcher Sélim Lanouar. #CVE20260740 #NinjaFormsFileUpload
Keypoints
- The vulnerability (CVE-2026-0740) affects Ninja Forms File Upload versions up to 3.3.26.
- Lack of destination filename validation permits uploading arbitrary files, including .php scripts.
- Filename sanitization absence enables path traversal to move files into the webroot.
- Exploitation can result in web shells, remote code execution, and complete site takeover.
- Wordfence blocked thousands of attacks and recommends immediate upgrade to version 3.3.27.