ACCORDING to Wordfence, a critical-severity vulnerability in the Ninja Forms WordPress plugin’s File Uploads addon could allow attackers to take over vulnerable sites by uploading arbitrary files and achieving remote code execution. The defect, CVE-2026-0740, carries a CVSS score of 9.8 and stems from unauthenticated arbitrary file uploads due to insufficient file type validation and a lack of filename sanitisation, which can permit PHP files to be uploaded and moved to the webroot.
Defiant warns that the vulnerability exists in the function that saves uploads to the uploads folder, and that an unauthenticated attacker could deploy web shells and gain full control of a site. The affected addon is used by roughly 50,000 websites, with thousands of exploitation attempts observed. Users are advised to upgrade to Ninja Forms – File Uploads version 3.3.27 as soon as possible, since all previous iterations are affected. The issue was identified and reported via the Wordfence bug bounty program by Sélim Lanouar, who received a $2,145 reward for it.