RSS
← All articles
vulnerability
2026-04-08

Ninja Forms WordPress plugin allows unauthenticated file upload leading to remote code execution

A critical vulnerability in the Ninja Forms File Uploads premium add-on for WordPress allows attackers to upload arbitrary files - including PHP web shells - without any authentication. Over 800,000 WordPress sites use Ninja Forms, and the File Uploads extension is one of its most popular premium add-ons. Successful exploitation gives an attacker full code execution on the web server. No user interaction required - just a crafted request to the file upload endpoint.

wordpressninja-formsfile-uploadrceunauthenticatedweb-shell
Check
Check if any of your WordPress sites use the Ninja Forms File Uploads premium add-on. This is a premium extension, not the free Ninja Forms base plugin.
Affected
WordPress sites running the Ninja Forms File Uploads premium add-on (vulnerable versions not yet confirmed in public reporting). The free base Ninja Forms plugin alone is not affected.
Fix
Update the Ninja Forms File Uploads add-on to the latest version immediately. If you can't patch right away, temporarily disable the file upload functionality. Review your web server logs for unexpected file uploads in the Ninja Forms upload directory. Use a WAF rule to block PHP file uploads to Ninja Forms endpoints.
Related Articles
vulnerabilityNGINX Rift: 18-year-old heap overflow in the rewrite module lets anyone on the internet crash or take over an NGINX server (CVE-2026-42945)
vulnerabilityCritical Ollama flaw lets unauthenticated attackers read server memory - 300,000 instances exposed (CVE-2026-7482)
threatHackers bought Google ads pointing to a fake GoDaddy WordPress login page - any site manager who clicked saw their credentials stolen