Hackers Targeting Ninja Forms Vulnerability That Exposes WordPress Sites to Takeover

Summary

A critical vulnerability (CVE-2026-0740, CVSS 9.8) in the Ninja Forms File Uploads addon for WordPress allows unauthenticated attackers to upload arbitrary PHP files and achieve remote code execution. The flaw stems from insufficient file type validation and missing filename sanitization, enabling path traversal attacks. Defiant reports thousands of active exploitation attempts against the ~50,000 affected websites; users are urged to upgrade to version 3.3.27 immediately.

Full text

A critical-severity vulnerability in the File Uploads addon for the Ninja Forms WordPress plugin could allow threat actors to take over vulnerable deployments, cybersecurity firm Defiant warns. Defiant says the affected addon is used by roughly 50,000 websites, and the company has seen thousands of attempts to exploit the vulnerability. Tracked as CVE-2026-0740 (CVSS score of 9.8), the security defect is described as an unauthenticated arbitrary file upload issue rooted in a missing file type validation. The addon was designed to provide file upload functionality for the Ninja Forms plugin. The CVE exists in the function that saves the uploaded file to the uploads folder. The file type check it performs is not sufficient, as it does not check the destination filename before the file is moved to the uploads directory, which makes it possible to upload files with the .php extension. “Since no filename sanitization is utilized, the malicious parameter also facilitates path traversal, allowing the file to be moved even to the webroot directory,” Defiant explains.Advertisement. Scroll to continue reading. An unauthenticated attacker could exploit this vulnerability to upload malicious PHP code to a vulnerable website’s server, and then access the file to achieve remote code execution (RCE), Defiant notes. According to the cybersecurity firm, an attacker could abuse the bug to deploy web shells and take complete control of the targeted site. CVE-2026-0740, Defiant says, was identified and reported via the Wordfence bug bounty program in January by security researcher Sélim Lanouar, who received a $2,145 bounty reward for it. Users are advised to upgrade to Ninja Forms – File Uploads version 3.3.27 as soon as possible, as all previous iterations are affected by the bug. Related: Critical Flowise Vulnerability in Attacker Crosshairs Related: GrafanaGhost: Attackers Can Abuse Grafana to Leak Enterprise Data Related: Ally WordPress Plugin Flaw Exposes Over 200,000 Websites to Attacks Related: Critical King Addons Vulnerability Exploited to Hack WordPress Sites Written By Ionut Arghire Ionut Arghire is an international correspondent for SecurityWeek. More from Ionut Arghire GrafanaGhost: Attackers Can Abuse Grafana to Leak Enterprise DataMedusa Ransomware Fast to Exploit Vulnerabilities, Breached SystemsGerman Police Unmask REvil Ransomware LeaderGoogle DeepMind Researchers Map Web Attacks Against AI AgentsGuardarian Users Targeted With Malicious Strapi NPM PackagesNorth Korean Hackers Target High-Profile Node.js MaintainersFortinet Rushes Emergency Fixes for Exploited Zero-DayEuropean Commission Confirms Data Breach Linked to Trivy Supply Chain Attack Latest News Evasive Masjesu DDoS Botnet Targets IoT DevicesUS Disrupts Russian Espionage Operation Involving Hacked Routers and DNS HijackingIran-Linked Hackers Disrupt US Critical Infrastructure via PLC AttacksAnthropic Unveils ‘Claude Mythos’ – A Cybersecurity Breakthrough That Could Also Supercharge AttacksThe New Rules of Engagement: Matching Agentic Attack SpeedTrent AI Emerges From Stealth With $13 Million in FundingCritical Flowise Vulnerability in Attacker CrosshairsSevere StrongBox Vulnerability Patched in Android Trending Daily Briefing Newsletter Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts. Webinar: Securing Fragile OT in an Exposed World March 10, 2026 Get a candid look at the current OT threat landscape as we move past "doom and gloom" to discuss the mechanics of modern OT exposure. Register Webinar: Why Automated Pentesting Alone Is Not Enough April 7, 2026 Join our live diagnostic session to expose hidden coverage gaps and shift from flawed tool-level evaluations to a comprehensive, program-level validation discipline. Register People on the MoveScott Goree has been appointed Senior Vice President of Channel and Alliances at Delinea.Kai has named Nick Degnan as Chief Revenue Officer.Joe Sullivan has been appointed Strategic Advisor at cloud security firm Upwind.More People On The MoveExpert Insights The New Rules of Engagement: Matching Agentic Attack Speed The cybersecurity response to AI-enabled nation-state threats cannot be incremental. It must be architectural. (Nadir Izrael) The Next Cybersecurity Crisis Isn’t Breaches—It’s Data You Can’t Trust Data integrity shouldn’t be seen only through the prism of a technical concern but also as a leadership issue. (Steve Durbin) Why Agentic AI Systems Need Better Governance – Lessons from OpenClaw Agentic AI platforms are shifting from passive recommendation tools to autonomous action-takers with real system access, (Etay Maor) The Human IOC: Why Security Professionals Struggle with Social Vetting Applying SOC-level rigor to the rumors, politics, and 'human intel' can make or break a security team. (Joshua Goldfarb) How to 10x Your Vulnerability Management Program in the Agentic Era The evolution of vulnerability management in the agentic era is characterized by continuous telemetry, contextual prioritization and the ultimate goal of agentic remediation. (Nadir Izrael) Flipboard Reddit Whatsapp Whatsapp Email

Indicators of Compromise

• cve — CVE-2026-0740

Entities