What is CVE-2026-0740?
CVE-2026-0740 is an unauthenticated arbitrary file upload vulnerability in the Ninja Forms – File Uploads extension for WordPress, caused by missing file type validation on the destination filename during the file move operation inside the NF_FU_AJAX_Controllers_Uploads::handle_upload function. The vulnerability carries a CVSS v3.1 base score of 9.8 (Critical).
No authentication is required to exploit the flaw. Because the plugin validates the file type of the source filename but not the destination filename, an attacker can bypass the intended extension allowlist by manipulating the destination path, allowing a PHP webshell or other malicious file to be written to the server.
Successful exploitation may result in remote code execution on the underlying web server, giving an attacker arbitrary command execution, data exfiltration, and the ability to pivot deeper into the hosting environment. The attack requires no user interaction and no elevated privileges.
What assets are affected by CVE-2026-0740?
All versions of the Ninja Forms – File Uploads plugin up to and including 3.3.26 are vulnerable. The flaw was partially addressed in version 3.3.25 and fully remediated in version 3.3.27, released on March 19, 2026.
Affected assets are WordPress sites with the File Uploads extension active and file upload forms exposed to the public internet. The plugin is used in approximately 50,000 active WordPress installations, spanning a wide range of site types: lead generation forms, contact forms, career portals, and donation pages are all common deployment patterns. Sites running older plugin versions on shared or managed hosting are particularly at risk, as the upload handler responds to unauthenticated AJAX requests.
Because the plugin is a premium extension sold separately from the core Ninja Forms plugin, patch adoption may lag compared to free WordPress plugins distributed via the official repository. Sites that have disabled auto-updates or do not actively monitor plugin changelogs are likely to remain on vulnerable versions for extended periods.
Are fixes available?
A full patch is available. The Ninja Forms – File Uploads extension version 3.3.27 resolves CVE-2026-0740 and was released on March 19, 2026. Version 3.3.25, released February 10, 2026, contained a partial fix that addressed some but not all bypass vectors. Sites running version 3.3.25 or 3.3.26 should still treat their installations as vulnerable and upgrade to 3.3.27.
The fix is distributed through the vendor's official extension channel at ninjaforms.com. Administrators using a WordPress plugin auto-update mechanism for premium plugins should verify whether the update has been applied, as premium extension updates do not always flow through the standard WordPress.org update pipeline. Defenders should confirm the installed version directly in the WordPress dashboard rather than assuming the fix has been deployed.
Are there any other recommended actions to take?
Site administrators should update the Ninja Forms – File Uploads extension to version 3.3.27 immediately. Until the update is confirmed, file upload functionality should be temporarily disabled or restricted to authenticated users only if the business context allows it. Web application firewall rules can provide a partial mitigation layer by blocking requests that attempt to upload PHP or executable file types. Server-side upload directories should be configured to deny execution of uploaded files regardless of extension. Administrators should also audit recent file uploads for any unexpected PHP files or webshells placed on the server prior to patching.
How can CyCognito help your organization?
CyCognito published an Emerging Threat Advisory for CVE-2026-0740 in the CyCognito platform and is actively researching enhanced detection capabilities for this vulnerability.
To learn how CyCognito can help your organization reduce external exposure and manage emerging threats more effectively, contact us to request a demo.
