Back

Critical Vulnerability in Ninja Forms Plugin Exposes 50,000 WordPress Sites to RCE

Severity: High (Score: 78.0)

Sources: Cybersecuritynews, Bleepingcomputer, Gbhackers

Summary

A critical vulnerability (CVE-2026-0740) in the Ninja Forms File Uploads plugin for WordPress allows unauthenticated attackers to upload arbitrary files, potentially leading to remote code execution. This flaw, with a CVSS score of 9.8, affects versions up to 3.3.26 and has been actively exploited, with over 3,600 attacks blocked in the last 24 hours by Wordfence. Approximately 50,000 websites utilizing this plugin are at risk, as the vulnerability stems from inadequate validation of file types during upload. Discovered by researcher Sélim Lanouar, the flaw was reported on January 8, 2026, and a complete fix was released on March 19, 2026. Users are strongly advised to upgrade to the latest version to mitigate risks. The potential impact includes complete site takeover and deployment of web shells. Key Points: • CVE-2026-0740 allows arbitrary file uploads without authentication. • Over 50,000 WordPress sites using Ninja Forms are vulnerable to exploitation. • A complete fix was released on March 19, 2026; users must upgrade immediately.

Key Entities

  • Malware (attack_type)
  • Zero-day Exploit (attack_type)
  • CVE-2026-0740 (cve)
  • T1505.003 - Web Shell (mitre_attack)
  • Ninja Forms (platform)
  • WordPress (platform)
Loading threat details...

Threat Not Found

The threat cluster you're looking for doesn't exist or has been removed.

Return to Feed