A critical vulnerability in the WordPress ecosystem has placed approximately 50,000 websites at risk of full compromise. The issue affects the widely used Ninja Forms – File Upload plugin, enabling attackers to upload malicious files and achieve remote code execution without authentication.
Tracked as CVE-2026-0740, the flaw carries a CVSS score of 9.8, indicating maximum severity. Security researcher Sélim Lanouar discovered the vulnerability, earning a $2,145 bug bounty for identifying the dangerous flaw.
Unauthenticated File Upload Leads to Full Server Takeover
The vulnerability stems from improper handling of uploaded files within the plugin’s handle_upload() function. While the plugin attempts to validate file types, it fails to verify the destination filename extension during the move_uploaded_file() operation.
This oversight, combined with insufficient filename sanitization, allows attackers to exploit path traversal techniques. By manipulating file paths, threat actors can upload malicious .php files directly into sensitive directories, including the site’s root folder.
Once executed, these files function as webshells, giving attackers command-line control over the server. With this level of access, adversaries can:
- Steal WordPress database credentials
- Inject malicious scripts into legitimate pages
- Redirect visitors to phishing or malware sites
- Deploy additional backdoors for persistence
- Use the compromised server to launch further attacks
Widespread Exposure Across Plugin Versions
The vulnerability impacts all versions of the Ninja Forms File Upload add-on up to and including version 3.3.26. Due to the unauthenticated nature of the flaw, automated scanners can easily identify and exploit vulnerable websites at scale.
Security firm Wordfence initially received the vulnerability report and quickly released firewall protections for premium users in early January 2026. Protection was later extended to free users in February.
Plugin developers responded with:
- Partial mitigation in version 3.3.25
- Complete fix in version 3.3.27 (released March 19, 2026)
Immediate Action Required
Website administrators using this plugin should upgrade to version 3.3.27 or later immediately. Because exploitation requires no authentication and minimal skill, unpatched systems remain high-value targets.
Security teams should also:
- Review web server logs for suspicious file uploads
- Scan for unexpected .php files in upload directories
- Rotate WordPress credentials if compromise is suspected
- Deploy a web application firewall where possible
- Monitor for unusual outbound traffic from hosting servers
With thousands of websites exposed and exploitation trivial, this vulnerability represents a significant risk to WordPress environments that rely on file upload functionality.
