Critical Vulnerability in Ninja Forms Plugin Exposes 50,000 WordPress Sites to RCE

Critical Vulnerability in Ninja Forms Plugin Exposes 50,000 WordPress Sites to RCE

First seen 7 Apr 2026, 08:01 UTC GbhackersCybersecuritynewsBleepingcomputerInfosecurity-MagazineScworld 91% similarity 78.0

Article Content

Browse articles
ThreatCluster

A critical vulnerability (CVE-2026-0740) in the Ninja Forms File Uploads plugin for WordPress allows unauthenticated attackers to upload arbitrary files, potentially leading to remote code execution. This flaw, with a CVSS score of 9.8, affects versions up to 3.3.26 and has been actively exploited, with over 3,600 attacks blocked in the last 24 hours by Wordfence. Approximately 50,000 websites utilizing this plugin are at risk, as the vulnerability stems from inadequate validation of file types during upload. Discovered by researcher Sélim Lanouar, the flaw was reported on January 8, 2026, and a complete fix was released on March 19, 2026. Users are strongly advised to upgrade to the latest version to mitigate risks. The potential impact includes complete site takeover and deployment of web shells.

Key Points: • CVE-2026-0740 allows arbitrary file uploads without authentication. • Over 50,000 WordPress sites using Ninja Forms are vulnerable to exploitation. • A complete fix was released on March 19, 2026; users must upgrade immediately.

ThreatCluster AI

Timeline

2026-01-08
Vulnerability discovered and reported to Wordfence
2026-02-10
Partial fix released after patch reviews
2026-03-19
Complete fix released in version 3.3.27
2026-04-07
CVE-2026-0740 published, active exploitation reported

Community

Browse all →