CVE-2026-0740
Ninja Forms - File Upload <= 3.3.26 - Unauthenticated Arbitrary File Upload
Description
The Ninja Forms - File Uploads plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the 'NF_FU_AJAX_Controllers_Uploads::handle_upload' function in all versions up to, and including, 3.3.26. This makes it possible for unauthenticated attackers to upload arbitrary files on the affected site's server which may make remote code execution possible. Note: The vulnerability was partially patched in version 3.3.25 and fully patched in version 3.3.27.
In plain language
AI Act nowNinja Forms - File Uploads (up to 3.3.26) lets anyone upload files to your WordPress site without logging in—this can lead to full site takeover—so a typical small business should act immediately if you use it.
Unauthenticated arbitrary file upload in Ninja Forms - File Uploads (all versions up to and including 3.3.26) via the NF_FU_AJAX_Controllers_Uploads::handle_upload endpoint can allow attackers to upload attacker-controlled files to the server, potentially leading to remote code execution.
What to do now
- Check your WordPress admin area for the installed Ninja Forms - File Uploads version (and confirm you are on 3.3.26 or earlier).
- Upgrade Ninja Forms - File Uploads to version 3.3.27 or later.
- If you cannot upgrade right away, temporarily disable the “File Uploads” feature/plugin and block public access to the plugin’s upload endpoint at the web server/WAF level.
- After upgrading, scan your site for unexpected new files and review recent web server and WordPress activity for uploads from unusual sources.
CVSS Vector Breakdown
AV:NAttack VectorAC:LAttack ComplexityPR:NPrivileges RequiredUI:NUser InteractionS:UScopeC:HConfidentialityI:HIntegrityA:HAvailabilityWeaknesses
Affected Products
Exploitability
Attack Graph
Click technique nodes for MITRE ATT&CK details · drag to pan · Ctrl/⌘ + scroll to zoom, or go fullscreen.
MITRE ATT&CK
3 techniquesReferences
Unlock Complete Vulnerability Intelligence
Get the full picture for CVE-2026-0740 and every CVE in our database. Create a free account — no credit card required.
Create Free Account