Critical RCE Vulnerability in Ninja Forms Plugin Affects 50,000 WordPress Sites

Severity: High (Score: 77.2)

Sources: Gbhackers, Cybersecuritynews

Summary

A severe security vulnerability has been identified in the Ninja Forms File Upload plugin for WordPress, tracked as CVE-2026-0740. This unauthenticated arbitrary file upload flaw has a maximum CVSS score of 9.8, indicating a critical level of risk. Approximately 50,000 websites utilizing this plugin are at risk of complete takeover. The vulnerability allows attackers to upload malicious files without authentication, potentially leading to remote code execution. Discovered by security researcher Sélim Lanouar, the flaw requires immediate attention from website administrators to mitigate risks. The vulnerability was officially published on April 7, 2026, prompting urgent advisories for affected users. Administrators are advised to update or disable the plugin until a patch is available. Key Points: • CVE-2026-0740 affects approximately 50,000 WordPress sites using Ninja Forms. • The vulnerability allows unauthenticated arbitrary file uploads, leading to potential RCE. • Website administrators are urged to take immediate action to secure their sites.

Key Entities