A critical arbitrary file upload vulnerability in Ninja Forms – File Upload Plugin has been identified, exposing thousands of WordPress sites to potential compromise, with the issue affecting plugin versions up to 3.3.26 and allowing unauthenticated attackers to upload malicious files that could lead to remote code execution.
The flaw carries a CVSS score of 9.8 and stems from insufficient file validation in the plugin’s upload handling function, enabling attackers to bypass restrictions and place harmful files directly on a server. The vulnerability was discovered by security researcher Sélim Lanouar, known as whattheslime, who reported it through the Wordfence Bug Bounty Program and reportedly received a $2145 reward for the finding.
Analysis of the plugin code showed that validation checks exist but fail to properly verify file types and extensions, allowing attackers to upload with dangerous extensions such as .php, manipulate filenames, and use path traversal techniques to place files in sensitive directories for remote code execution.
In an advisory published on Monday, Wordfence said it acted quickly following the report on 8 January 2026, with the developer issuing a partial fix on 10 February and a complete patch on 19 March to bring the plugin to version 3.3.27, after which users are urged to update immediately.