On April 6, 2026, Wordfence publicly disclosed a critical unauthenticated arbitrary file upload vulnerability in the Ninja Forms – File Uploads add-on for WordPress. Within hours of disclosure, opportunistic scanning turned into real attacks. By April 13, the Wordfence firewall had blocked more than 118,000 exploit attempts targeting the flaw. This is now tracked as CVE-2026-0740.
The plugin has roughly 50,000 active installations. If your site ships user uploads through Ninja Forms and the add-on is not on version 3.3.27 yet, treat this as an active incident. This is not a routine patch.
CVE-2026-0740 Ninja Forms: The vulnerability at a glance
CVE ID: CVE-2026-0740
Plugin: Ninja Forms – File Uploads
Affected versions: <= 3.3.26 (version 3.3.25 was only a partial fix and is still exploitable)
Fully patched version: 3.3.27
CVSS v3.1: 9.8 (Critical)
Impact: Unauthenticated arbitrary file upload leading to remote code execution
CVE-2026-0740 Ninja Forms: How the flaw works
The File Uploads add-on extends Ninja Forms with a field. This lets visitors attach files to a submission. Internally, those uploads flow through an AJAX endpoint. It is handled by the NF_FU_AJAX_Controllers_Uploads::handle_upload method. That method accepts input from unauthenticated users. This is by design for public forms. The problem is how it decides whether a file is safe to keep.
The handler does perform a check on the uploaded file. However, it validates the wrong thing. It inspects attributes of the source upload. It ignores the destination filename that ultimately lands on disk. An attacker can send a crafted multipart POST request. The destination filename carries a .php extension. The plugin will happily move that file into the uploads directory. It performs no check against the final name.
It gets worse. The destination filename is also not sanitized for path characters. An attacker can include sequences like ../ to traverse out of the uploads folder. They can drop the file directly in the webroot. The attacker simply requests the uploaded PHP file over HTTP. The server executes it. No account, no token, no prior foothold required.
Exploitation is essentially a two-step operation. Send a POST to admin-ajax.php with the malicious filename and payload. Then GET the resulting PHP file. Mass scanners have been running that pattern since April 9, 2026.
Who is at risk
Any WordPress site running the Ninja Forms – File Uploads add-on at version 3.3.26 or earlier is at risk. This is the dedicated file upload extension for Ninja Forms. It is not the main Ninja Forms plugin itself. You can confirm by visiting Plugins in wp-admin. Look for “Ninja Forms – File Uploads”.
It is worth stressing that version 3.3.25 shipped as a fix. It only closed part of the attack surface. If you updated early and stopped at 3.3.25 or 3.3.26, you are still vulnerable. Only 3.3.27 contains the complete patch.
What to do right now
The only reliable fix is to update the plugin. Log in to wp-admin and open Plugins. Update Ninja Forms – File Uploads to version 3.3.27 or later. If your license has lapsed and updates are not available, temporarily deactivate the add-on. Do this until you can renew. Leaving a vulnerable version installed but “inactive” is safer than leaving it active. The cleanest option is to remove it entirely until you can update.
Because mass exploitation has been underway for almost two weeks, updating is not enough on its own. You also need to check whether an attacker compromised your site before you patched. A few practical steps:
- Review your uploads directory and webroot for unexpected
.phpfiles with recent modification dates. - Scan for new or unexpected administrator accounts, scheduled tasks, and must-use plugins.
- Check access logs for POST requests to
admin-ajax.phpcarrying thenf_fu_uploadaction. Then check for GET requests to unusual PHP files. - Rotate passwords and WordPress salts if you find any indicator of compromise.
If you run a web application firewall, make sure it is receiving current rule updates. Virtual patches for CVE-2026-0740 have been available from major WordPress security vendors. However, your firewall must be reachable and updated for these to work.
How Trusti Radar detects this
Trusti Radar continuously checks your installed plugins against the public vulnerability feed. It flags any version that matches a known CVE. Sites running Ninja Forms – File Uploads at 3.3.26 or earlier appear as a critical finding. They get a direct link to the patched version. You do not have to cross-reference release notes manually. Radar also watches for post-exploitation signals. These include newly created admin users and unexpected PHP files appearing outside the expected WordPress paths. These are the typical footprints of arbitrary file upload flaws like this one. If you already run Trusti on your site, open the dashboard. Look for the CVE-2026-0740 alert. Follow the remediation link.
The broader lesson
File upload bugs keep showing up in WordPress plugins. The security model for uploads is deceptively simple to get wrong. Validating the source file is not the same as validating what lands on disk. The safer pattern is to force a server-generated filename. Use a hardcoded extension based on actual MIME inspection. Never trust the client. CVE-2026-0740 is a textbook example of what happens when an application treats the destination filename as data. It should be treated as input that needs sanitizing.
If your site uses Ninja Forms – File Uploads, update to 3.3.27 today. Check for signs of compromise. Assume nothing until both are done.