The Ninja Forms - File Uploads plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the 'NF_FU_AJAX_Controllers_U…

The Ninja Forms File Uploads plugin for WordPress contains a critical vulnerability allowing arbitrary file uploads due to missing file type validation in versions up to 3.3.26. Unauthenticated attackers can exploit this flaw to upload malicious files to the server, potentially leading to remote code execution. The vulnerability exists in the 'NF_FU_AJAX_Controllers_Uploads::handle_upload' function and affects all versions through 3.3.26. A partial fix was implemented in version 3.3.25, with a complete patch released in version 3.3.27. This represents a serious security risk for WordPress sites using the affected plugin versions.