20260407-bleepingcomputer.com-64f06

< Back to index

Hackers exploit critical flaw in Ninja Forms WordPress plugin

Published:

7 April 2026 at 22:03:01

Alert date:

7 April 2026 at 23:01:57

Source:

bleepingcomputer.com

Web Technologies, Zero-Day Vulnerabilities

A critical vulnerability in the Ninja Forms File Uploads premium add-on for WordPress allows attackers to upload arbitrary files without authentication. This vulnerability can lead to remote code execution on affected WordPress sites. The flaw is being actively exploited by hackers in the wild. The vulnerability affects the file upload functionality of the popular WordPress form builder plugin. Website administrators using this plugin are at immediate risk and should apply security patches urgently.

Technical details

Critical vulnerability in Ninja Forms File Uploads premium add-on allows uploading arbitrary files without authentication, leading to remote code execution. The flaw is caused by lack of validation of file types/extensions on the destination filename. The function does not include any file type or extension checks on the destination filename before the move operation. No filename sanitization is utilized, facilitating path traversal and allowing files to be moved to the webroot directory. Attackers can upload arbitrary malicious PHP code and access the file to trigger remote code execution.

Mitigation steps:

Users of Ninja Forms File Upload are strongly recommended to prioritize upgrading to version 3.3.27 or later, available since March 19. Wordfence firewall provides protection against exploitation attempts.

Affected products:

Ninja Forms File Upload versions up to 3.3.26
WordPress Ninja Forms plugin