Description
The Ninja Forms - File Uploads plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the 'NF_FU_AJAX_Controllers_Uploads::handle_upload' function in all versions up to, and including, 3.3.26. This makes it possible for unauthenticated attackers to upload arbitrary files on the affected site's server which may make remote code execution possible. Note: The vulnerability was partially patched in version 3.3.25 and fully patched in version 3.3.27.
Published: 2026-04-07
Score: 9.8 Critical
EPSS: 22.0% Moderate
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability resides in the upload handler of the Ninja Forms – File Uploads plugin for WordPress, where missing file‑type validation allows any file to be stored on the server. An attacker can exploit this to upload a malicious script or binary, paving the way for code execution and potential site takeover. The weakness is classified as CWE‑434, representing an unrestricted upload of potentially dangerous file types.

Affected Systems

This issue affects all releases of the Ninja Forms – File Uploads WordPress extension supplied by SaturdayDrive up to version 3.3.26. A partial mitigation was introduced in 3.3.25, but the full fix is only available in version 3.3.27 and later.

Risk and Exploitability

With a CVSS score of 9.8 and an EPSS score of 0.21968, the vulnerability is severe but with a low exploitation probability. Because the upload endpoint remains publicly accessible without authentication, attackers can readily reach the vector. Once a malicious file is uploaded, code execution is possible, compromising confidentiality, integrity, and availability of the affected site.

Generated by OpenCVE AI on June 1, 2026 at 15:07 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the Ninja Forms – File Uploads plugin to version 3.3.27 or later.
  • If an update cannot be applied immediately, block the upload endpoint with a web‑application firewall rule or by setting the directory to deny execution via .htaccess.
  • Verify that the upload directory permissions prevent execution of uploaded files and monitor the directory for unexpected files.

Generated by OpenCVE AI on June 1, 2026 at 15:07 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 07 Apr 2026 15:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Tue, 07 Apr 2026 09:45:00 +0000

Type Values Removed Values Added
First Time appeared Saturdaydrive
Saturdaydrive ninja Forms - File Uploads
Wordpress
Wordpress wordpress
Vendors & Products Saturdaydrive
Saturdaydrive ninja Forms - File Uploads
Wordpress
Wordpress wordpress

Tue, 07 Apr 2026 07:15:00 +0000

Type Values Removed Values Added
Description The Ninja Forms - File Uploads plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the 'NF_FU_AJAX_Controllers_Uploads::handle_upload' function in all versions up to, and including, 3.3.26. This makes it possible for unauthenticated attackers to upload arbitrary files on the affected site's server which may make remote code execution possible. Note: The vulnerability was partially patched in version 3.3.25 and fully patched in version 3.3.27.
Title Ninja Forms - File Upload <= 3.3.26 - Unauthenticated Arbitrary File Upload
Weaknesses CWE-434
References
Metrics cvssV3_1

{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}

Subscriptions

Saturdaydrive Ninja Forms - File Uploads
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T16:34:50.670Z

Reserved: 2026-01-08T16:45:37.724Z

Link: CVE-2026-0740

cve-icon Vulnrichment

Updated: 2026-04-07T14:34:07.650Z

cve-icon NVD

Status : Deferred

Published: 2026-04-07T05:16:06.897

Modified: 2026-04-27T19:04:22.650

Link: CVE-2026-0740

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-01T15:15:30Z

Weaknesses