"The affected addon is used by roughly 50,000 websites, and the company has seen thousands of attempts to exploit the vulnerability."
"An unauthenticated attacker could exploit this vulnerability to upload malicious PHP code to a vulnerable website's server, and then access the file to achieve remote code execution (RCE)."
"Since no filename sanitization is utilized, the malicious parameter also facilitates path traversal, allowing the file to be moved even to the webroot directory."
"Users are advised to upgrade to Ninja Forms - File Uploads version 3.3.27 as soon as possible, as all previous iterations are affected by the bug."
A vulnerability in the File Uploads addon for the Ninja Forms WordPress plugin could allow attackers to take over affected websites. This critical defect, tracked as CVE-2026-0740 with a CVSS score of 9.8, stems from inadequate file type validation. The flaw enables unauthenticated file uploads, including malicious PHP files, which can lead to remote code execution. Users are urged to upgrade to version 3.3.27 to mitigate the risk, as previous versions are vulnerable. The issue was reported through the Wordfence bug bounty program.
Read at SecurityWeek
Unable to calculate read time
Collection
[
|
...
]