Active Exploitation of Ninja Forms File Uploads Flaw Enables WordPress RCE
Attackers are actively exploiting CVE-2026-0740, a critical unauthenticated arbitrary file upload flaw in the Ninja Forms File Uploads premium add-on for WordPress that can lead to remote code execution and full site compromise. The vulnerability affects versions through 3.3.26 and stems from improper validation of file types and extensions in destination filenames, combined with missing filename sanitization that allows path traversal and placement of malicious PHP files in the webroot or other sensitive directories.
Wordfence said it blocked more than 3,600 exploitation attempts in a 24-hour period and warned that attackers could use the bug to deploy web shells and take over vulnerable sites. Researcher Sélim Lanouar discovered the issue through Wordfence’s bug bounty program, and the vendor released a full fix in version 3.3.27 after an earlier partial remediation. Organizations using the add-on, which is deployed across more than 90,000 customer environments, have been urged to upgrade immediately.
Timeline
Apr 7, 2026
Wordfence blocks over 3,600 exploitation attempts in 24 hours
Wordfence reported blocking more than 3,600 attack attempts targeting CVE-2026-0740 within a 24-hour period, underscoring widespread active exploitation of the flaw.
Apr 7, 2026
Active exploitation of CVE-2026-0740 observed in the wild
Attackers began actively exploiting the Ninja Forms File Uploads vulnerability, attempting to upload malicious PHP files that could enable web shell deployment and full site compromise.
Mar 19, 2026
Complete fix released in Ninja Forms File Uploads 3.3.27
The vendor released version 3.3.27 with a full patch for CVE-2026-0740, a critical flaw that could allow unauthenticated remote code execution through malicious file uploads and path traversal.
Feb 10, 2026
Vendor issues partial fix for Ninja Forms File Uploads flaw
An initial partial fix for CVE-2026-0740 was released by the vendor, but it did not fully remediate the vulnerability affecting versions up to 3.3.26.
Feb 10, 2026
Researcher discovers CVE-2026-0740 in Ninja Forms File Uploads add-on
Security researcher Sélim Lanouar identified a critical unauthenticated arbitrary file upload flaw in the Ninja Forms File Uploads premium add-on for WordPress through Wordfence's bug bounty program and reported it to Wordfence, which notified the vendor.
See the full picture in Mallory
Mallory subscribers get deeper analysis on every story, including:
Who’s affected and how
Deep-dive technical analysis
Actionable next steps for your team
IPs, domains, hashes, and more
Ask questions and take action on every story
Filter by topic, classification, timeframe
Get matching stories delivered automatically
Related Entities
Vulnerabilities
Organizations
Affected Products
Sources
Related Stories
Critical File Upload Flaws Expose WordPress Plugins to Remote Code Execution
Multiple WordPress plugins were found vulnerable to **unauthenticated arbitrary file upload** flaws that can lead to remote code execution and full site compromise. The most urgent case involves the **Breeze Cache** plugin, where **CVE-2026-3844** affects versions through `2.4.4` when the optional **"Host Files Locally - Gravatars"** feature is enabled. Researchers said the bug stems from missing file-type validation in the `fetch_gravatar_from_remote` function, and BleepingComputer reported that attackers are already exploiting the issue in the wild, with Wordfence observing more than 170 attack attempts. Cloudways released a fix in version `2.4.5`, and defenders were urged to update immediately or disable the Gravatar-related feature until patching is complete. Two additional **Contact Form 7** upload extensions were also disclosed with critical upload weaknesses. **CVE-2026-5718** affects **Drag and Drop Multiple File Upload for Contact Form 7** through `1.3.9.6`, where custom blacklist handling can override the default dangerous-extension denylist and a non-ASCII filename trick can bypass sanitization, allowing attackers to upload PHP files. **CVE-2026-5364** affects **Drag and Drop File Upload for Contact Form 7** through `1.1.3`, where the plugin validates an unsanitized extension but saves a sanitized one, enabling bypasses using special characters such as `$`; researchers noted that `.htaccess` protections and filename randomization may reduce real-world exploitability. Together, the disclosures highlight a broader pattern of insecure file validation in WordPress upload plugins.
1 weeks ago
Critical WordPress Form Plugin Flaws Enable Unauthenticated Server Compromise
Two high-severity vulnerabilities were disclosed in widely used WordPress form plugins, exposing sites to unauthenticated attacks that can lead to full server compromise. **CVE-2026-4347** affects **MW WP Form** through version `5.1.0` and stems from insufficient file path validation in `generate_user_filepath` and `move_temp_file_to_upload_dir`. An attacker can move arbitrary files on the server without authentication, and if a sensitive file such as `wp-config.php` is relocated, the flaw can be leveraged for remote code execution. Exploitation requires a form with a file upload field and the **Saving inquiry data in database** option enabled; the issue is tracked as **CWE-22**.
3 weeks ago
Critical WordPress Plugin Flaws Expose Sites to RCE and Privilege Escalation
Two high-severity vulnerabilities have been disclosed in widely deployed WordPress plugins, exposing internet-facing sites to **unauthenticated compromise**. `CVE-2026-3584` affects **Kali Forms** through version `2.4.9` and allows **remote code execution** because user-controlled input can be mapped into internal placeholder storage and later invoked via `call_user_func` in the `form_process` path. The issue is classified as `CWE-94` and carries a `CVSS 3.1` score with the vector `AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H`, indicating critical impact on confidentiality, integrity, and availability. A second flaw, `CVE-2026-4038`, affects **Aimogen Pro** through version `2.7.5` and enables **unauthenticated privilege escalation** through an arbitrary function call in `aiomatic_call_ai_function_realtime` caused by a missing capability check. According to the disclosure, attackers can invoke WordPress functions such as `update_option` to change the default registration role to administrator and enable user registration, effectively creating a path to full site takeover. The vulnerability is tracked as `CWE-862` and was likewise rated with a high-impact `CVSS 3.1` vector of `AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H`.
1 months ago