A critical-severity vulnerability in the File Uploads addon for the Ninja Forms WordPress plugin could allow threat actors to take over vulnerable deployments, cybersecurity firm Defiant warns.
Defiant says the affected addon is used by roughly 50,000 websites, and the company has seen thousands of attempts to exploit the vulnerability.
Tracked as CVE-2026-0740 (CVSS score of 9.8), the security defect is described as an unauthenticated arbitrary file upload issue rooted in a missing file type validation.
The addon was designed to provide file upload functionality for the Ninja Forms plugin. The CVE exists in the function that saves the uploaded file to the uploads folder.
The file type check it performs is not sufficient, as it does not check the destination filename before the file is moved to the uploads directory, which makes it possible to upload files with the .php extension.
“Since no filename sanitization is utilized, the malicious parameter also facilitates path traversal, allowing the file to be moved even to the webroot directory,” Defiant explains.
An unauthenticated attacker could exploit this vulnerability to upload malicious PHP code to a vulnerable website’s server, and then access the file to achieve remote code execution (RCE), Defiant notes.
According to the cybersecurity firm, an attacker could abuse the bug to deploy web shells and take complete control of the targeted site.
CVE-2026-0740, Defiant says, was identified and reported via the Wordfence bug bounty program in January by security researcher Sélim Lanouar, who received a $2,145 bounty reward for it.
Users are advised to upgrade to Ninja Forms – File Uploads version 3.3.27 as soon as possible, as all previous iterations are affected by the bug.
Related: Critical Flowise Vulnerability in Attacker Crosshairs
Related: GrafanaGhost: Attackers Can Abuse Grafana to Leak Enterprise Data
Related: Ally WordPress Plugin Flaw Exposes Over 200,000 Websites to Attacks
Related: Critical King Addons Vulnerability Exploited to Hack WordPress Sites
