A critical security vulnerability (CVE-2026-0740) has been discovered in the 'File Uploads' premium extension for the popular WordPress plugin Ninja Forms. Attackers are actively exploiting this flaw to upload malicious files without authorization, effectively gaining control over website backends.
According to monitoring data from cybersecurity firm Wordfence, the vulnerability has triggered over 3,600 malicious attack attempts in the last 24 hours alone. Given the plugin's widespread use in website form building, security experts are warning that sites that have not been updated are at risk of a complete takeover.
Vulnerability Mechanism and Security Risks
The vulnerability carries a critical severity score of 9.8 out of 10 and affects all versions of the Ninja Forms File Uploads extension up to and including 3.3.26. Wordfence researchers noted that the core issue lies in the plugin's failure to implement necessary validation mechanisms when processing uploaded files.
"The plugin does not perform any file type or extension checks on the destination filename before performing the move operation," Wordfence explained in its report. "This means that an attacker can upload not only safe files but also .php script files."
Furthermore, because the plugin fails to sanitize filenames, attackers can use path traversal techniques to move malicious scripts into the website's root directory. Once uploaded, an attacker can trigger remote code execution by accessing the file, allowing them to deploy a web shell or take full control of the victim's web server.
The vulnerability was submitted to Wordfence’s bug bounty program on January 8 by security researcher Sélim Lanouar (known online as 'whattheslime'). After verification and notification, the vendor officially released version 3.3.27 on March 19 to address the flaw.
Given that this vulnerability is currently being actively exploited, security experts strongly urge all website administrators using the Ninja Forms File Uploads extension to check their plugin version immediately. Users should update to the latest version as soon as possible to close this critical attack vector.
