Active Exploitation of Ninja Forms File Uploads Flaw Enables WordPress RCE
Attackers are actively exploiting CVE-2026-0740, a critical unauthenticated arbitrary file upload flaw in the Ninja Forms File Uploads premium add-on for WordPress that can lead to remote code execution and full site compromise. The vulnerability affects versions through 3.3.26 and stems from improper validation of file types and extensions in destination filenames, combined with missing filename sanitization that allows path traversal and placement of malicious PHP files in the webroot or other sensitive directories.
Wordfence said it blocked more than 3,600 exploitation attempts in a 24-hour period and warned that attackers could use the bug to deploy web shells and take over vulnerable sites. Researcher Sélim Lanouar discovered the issue through Wordfence’s bug bounty program, and the vendor released a full fix in version 3.3.27 after an earlier partial remediation. Organizations using the add-on, which is deployed across more than 90,000 customer environments, have been urged to upgrade immediately.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
5 events from the most recent confirmed update back to the earliest known activity.
Wordfence blocks over 3,600 exploitation attempts in 24 hours
Wordfence reported blocking more than 3,600 attack attempts targeting CVE-2026-0740 within a 24-hour period, underscoring widespread active exploitation of the flaw.
Active exploitation of CVE-2026-0740 observed in the wild
Attackers began actively exploiting the Ninja Forms File Uploads vulnerability, attempting to upload malicious PHP files that could enable web shell deployment and full site compromise.
Complete fix released in Ninja Forms File Uploads 3.3.27
The vendor released version 3.3.27 with a full patch for CVE-2026-0740, a critical flaw that could allow unauthenticated remote code execution through malicious file uploads and path traversal.
Vendor issues partial fix for Ninja Forms File Uploads flaw
An initial partial fix for CVE-2026-0740 was released by the vendor, but it did not fully remediate the vulnerability affecting versions up to 3.3.26.
Researcher discovers CVE-2026-0740 in Ninja Forms File Uploads add-on
Security researcher Sélim Lanouar identified a critical unauthenticated arbitrary file upload flaw in the Ninja Forms File Uploads premium add-on for WordPress through Wordfence's bug bounty program and reported it to Wordfence, which notified the vendor.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
2 references tracked. Mallory keeps watching after this page renders.
See the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
Critical WordPress Plugin Flaws Expose Sites to File Upload, SQL Injection, and Takeover
Multiple **WordPress plugins** were flagged for severe vulnerabilities that could let attackers take over sites through unauthenticated file upload, SQL injection, arbitrary file deletion, and authorization bypass. References point to issues in plugins including **WP Duplicate**, **Ninja Forms File Upload**, **Ultimate Member**, **Product Addons for WooCommerce**, **CleanTalk Spam Protect**, **Ally**, **Perfmatters**, and **Kali Forms**, alongside identifiers such as **`CVE-2024-48930`**, **`CVE-2025-13192`**, and **`CVE-2026-1104`**. Several flaws were described as allowing arbitrary plugin installation, malicious file upload, or direct database manipulation, creating a path to remote code execution and full site compromise. Wordfence reports indicate the exposure spans **hundreds of thousands of WordPress sites**, with some bugs already under **active exploitation**. The most serious cases include an unauthenticated SQL injection flaw in the **Ally** plugin affecting roughly **400,000 sites**, an arbitrary file deletion issue in **Perfmatters** affecting about **200,000 sites**, and active attacks targeting a critical flaw in **Kali Forms**. Taken together, the disclosures show a broad wave of high-impact plugin security failures that increase the risk of website defacement, malware deployment, data theft, and administrator-level compromise across the WordPress ecosystem.
May 25, 2026
Critical File Upload Flaws Expose WordPress Plugins to Remote Code Execution
Multiple WordPress plugins were found vulnerable to **unauthenticated arbitrary file upload** flaws that can lead to remote code execution and full site compromise. The most urgent case involves the **Breeze Cache** plugin, where **CVE-2026-3844** affects versions through `2.4.4` when the optional **"Host Files Locally - Gravatars"** feature is enabled. Researchers said the bug stems from missing file-type validation in the `fetch_gravatar_from_remote` function, and BleepingComputer reported that attackers are already exploiting the issue in the wild, with Wordfence observing more than 170 attack attempts. Cloudways released a fix in version `2.4.5`, and defenders were urged to update immediately or disable the Gravatar-related feature until patching is complete. Two additional **Contact Form 7** upload extensions were also disclosed with critical upload weaknesses. **CVE-2026-5718** affects **Drag and Drop Multiple File Upload for Contact Form 7** through `1.3.9.6`, where custom blacklist handling can override the default dangerous-extension denylist and a non-ASCII filename trick can bypass sanitization, allowing attackers to upload PHP files. **CVE-2026-5364** affects **Drag and Drop File Upload for Contact Form 7** through `1.1.3`, where the plugin validates an unsanitized extension but saves a sanitized one, enabling bypasses using special characters such as `$`; researchers noted that `.htaccess` protections and filename randomization may reduce real-world exploitability. Together, the disclosures highlight a broader pattern of insecure file validation in WordPress upload plugins.
Apr 24, 2026
Active Exploitation of Everest Forms Pro RCE Creates Rogue WordPress Admins
Attackers are actively exploiting **CVE-2026-3300**, a critical unauthenticated remote code execution flaw in the **Everest Forms Pro** WordPress plugin, to fully compromise vulnerable sites. The bug affects versions through **1.9.12** and was fixed in **1.9.13**. It stems from the plugin’s Complex Calculation feature, where user-controlled input in `process_filter()` is concatenated into PHP code and executed with `eval()`, allowing arbitrary PHP injection through crafted form submissions, often via the `/wp-admin/admin-ajax.php` endpoint. Wordfence reported exploitation beginning on April 13 and escalating into mass attacks, with more than **29,300** exploit attempts blocked overall and over **17,900** on May 16 alone. A recurring payload creates a rogue administrator account named **`diksimarina`**, giving attackers persistent access to upload webshells, install backdoors, alter site content, and potentially pivot deeper into the hosting environment. Defenders are being urged to upgrade immediately to **1.9.13 or later**, audit WordPress administrator accounts for unauthorized users, and review logs for suspicious requests and known malicious IP activity.
Jun 9, 2026