A critical unauthenticated arbitrary file upload vulnerability (CVE-2026-0740, CVSS 9.8) in the Ninja Forms File Upload premium WordPress plugin is being actively exploited. The flaw, affecting versions up to 3.3.26, stems from missing file type/extension validation and lack of filename sanitization, allowing attackers to upload PHP files and achieve remote code execution or full site takeover via path traversal. Wordfence has blocked over 3,600 attacks in 24 hours. A complete fix is available in version 3.3.27, released March 19. Users should upgrade immediately.
Sort: