Attackers Actively Exploiting Critical Vulnerability in Ninja Forms – File Upload Plugin

Some links on this page are affiliate links. We may earn a commission when you click through and make a purchase, at no additional cost to you.

A critical vulnerability in the Ninja Forms – File Upload plugin for WordPress is currently under active exploitation by attackers. The flaw, an Arbitrary File Upload vulnerability, allows unauthenticated users to upload malicious files to servers running the plugin. With an estimated 50,000 sites affected, the stakes are high for WordPress site owners relying on this plugin.

Details of the Vulnerability

The vulnerability, tracked as CVE-2026-0740, affects all versions of the Ninja Forms – File Upload plugin up to and including 3.3.26. It stems from inadequate file validation in the NF_FU_AJAX_Controllers_Uploads::handle_upload function. Attackers can upload arbitrary files, including PHP scripts, due to missing checks on destination filenames and file extensions. This opens the door to remote code execution and potential full site compromise.

While version 3.3.25 introduced partial fixes, the issue was not fully resolved until version 3.3.27, released on March 19, 2026. Wordfence disclosed the vulnerability on April 6, 2026, and attackers began exploiting it immediately. Wordfence Premium users were protected by a dedicated firewall rule as early as January 8, 2026, while free users received protection starting February 7, 2026.

Active Exploitation and Attack Patterns

According to Wordfence, attackers are leveraging the vulnerability to upload malicious PHP files and .htaccess files designed to compromise affected sites. One example attack involves crafting a POST request to the admin-ajax.php endpoint with a file disguised as a PDF but containing hidden PHP code. This webshell can then execute further malicious actions, such as uploading additional malware.

Wordfence has recorded over 118,600 exploit attempts so far, underscoring the urgency for site owners to act. Exploits often use minimal webshells capable of bypassing common PHP restrictions, making them highly effective against unpatched sites.

Immediate Actions for Site Owners

Site owners should verify their plugin version and update to the latest release without delay. Additionally, enabling a robust security solution such as the Wordfence Firewall can provide an essential layer of protection. For sites already compromised, a full security audit is recommended to identify and eliminate any malicious files or backdoors.

What This Means for WordPress Users

This incident serves as a stark reminder of the risks associated with third-party plugins. For WordPress developers and site operators, routine updates and proactive security solutions are non-negotiable. Vulnerabilities like this one highlight the importance of using plugins from reputable developers and ensuring they are actively maintained.

The rapid exploitation of this flaw also underscores the need for early vulnerability disclosure and timely firewall updates. Managed hosting providers may see a surge in support requests from affected customers, while agencies must prioritize patching sites under their care.

Looking ahead, WordPress professionals should consider implementing stricter plugin vetting procedures and educating clients about the importance of security hygiene.

Related News

• Latest WordPress News & Updates