—–BEGIN PGP SIGNED MESSAGE—–

Hash: SHA256

Arbitrary File Upload Vulnerability in Ninja Forms – File Uploads plugin for WordPress

Indian – Computer Emergency Response Team (https://www.cert-in.org.in)

Severity Rating: CRITICAL

Software Affected

Ninja Forms – File Uploads plugin for WordPress prior to 3.3.27

Overview

A critical vulnerability has been identified in the Ninja Forms ¿ File Uploads plugin for WordPress. The flaw allows unauthenticated attackers to upload arbitrary files, potentially leading to remote code execution on the affected server.

Target Audience:

Website administrators, developers, and organizations using WordPress with the Ninja Forms – File Uploads plugin installed.

Risk Assessment:

Critical risk due to the possibility of unauthenticated remote code execution.

Impact Assessment:

Remote code execution, unauthorized access, and data manipulation.

Description

Ninja Forms is a widely used WordPress plugin for creating forms, with an extension for handling file uploads.

The vulnerability (CVE-2026-0740) exists due to missing file type validation in the function:NF_FU_AJAX_Controllers_Uploads::handle_upload.

This flaw affects all versions up to and including 3.3.26. Due to insufficient validation of uploaded files, an unauthenticated attacker can upload arbitrary files (including executable scripts) to the server.

Solution

Apply appropriate security updates as mentioned in ninja-forms-uploads Security Updates:

https://www.wordfence.com/threat-intel/vulnerabilities/wordpress-plugins/ninja-forms-uploads/ninja-forms-file-upload-3326-unauthenticated-arbitrary-file-upload

Vendor Information

 

https://www.wordfence.com/threat-intel/vulnerabilities/wordpress-plugins/ninja-forms-uploads/ninja-forms-file-upload-3326-unauthenticated-arbitrary-file-upload

References

 

https://www.wordfence.com/threat-intel/vulnerabilities/wordpress-plugins/ninja-forms-uploads/ninja-forms-file-upload-3326-unauthenticated-arbitrary-file-upload

CVE Name

CVE-2026-0740

– —

Thanks and Regards,

CERT-In

Incident Response Help Desk

e-mail: incident@cert-in.org.in

Phone: +91-11-22902657

Toll Free Number: 1800-11-4949

Toll Free Fax : 1800-11-6969

Web: http://www.cert-in.org.in

PGP Fingerprint: A768 083E 4475 5725 B81A A379 2156 C0C0 B620 D0B4

PGP Key information:

https://www.cert-in.org.in/s2cMainServlet?pageid=CONTACTUS

Postal address:

Indian Computer Emergency Response Team (CERT-In)

Ministry of Electronics and Information Technology

Government of India

Electronics Niketan

6, C.G.O. Complex

New Delhi-110 003

—–BEGIN PGP SIGNATURE—–

iQIzBAEBCAAdFiEE6r4Iam/Ey0c/KakL3jCgcSdcys8FAmnfpzEACgkQ3jCgcSdc

ys907Q/9EglSnsDgDUdW5GFPIW62C4WRaaJKrkIii5sI2JbIJk8VXc9a/aPy4HxC

iJBLFfKwelg2l1skY9EC5i7LNM0ip11cXbHS9iXrxlMLc9gckyeniQzIC3foOzm3

QhlIB+8NSW1YV2uQ2hi3grLs2I8l4EWqgkyrNbCtDXN0Tl/9WM5Psab6iCdwvXe4

4bKcqr6gZGIaJmLN/YguDwLwVNYwolh6Uy9/UxmzN+okGe9OJwUcN+k1RsQL3F1K

ur0mOVkdUL7Kz/yLBGMz9XHFRXXzi4AqQKAwDkClKCiEZFTvczbFqqNCYDjvFN79

w3tduZ2Q/5jVl9eBJUw56bDtSgpvKnIqbI8QiTQofHIWOmA5vV2YVbhzrYhZC54r

YMcC2HhNM7N4rqEL7qplrzDNC8zQ6M9HsV9f2aPtB2c+WEWdHO2+meBR3doqA0Ra

DBlXiJZIbpM8nuDhyk23xc6g2TFCBVlS1YKPR7xnAVsuyhwPyt3Q4+UeAjXthOGn

lC4YJkwYJHrPH+FT2Oij5a8kgLKG7yiCIkkQKWmyHE15YjQFwojIMx5ozcmStHpo

QovyJUtfPTlITQohO5vHYpdM59cLHqrRy1k1Rr/lR0WdA8B756zg+WUX8xz8LEeF

RBEn4gmD0PI6Ll655Ffxq44jwgZgCR+fWwqH0XKo79Em+3ZQoEQ=

=Twzw

—–END PGP SIGNATURE—–