Ninja Forms Alert: Critical 9.8 RCE Vulnerability Under Active Attack

In a major alert for the WordPress community, a critical security flaw has been disclosed in the Ninja Forms – File Upload plugin. The vulnerability, tracked as CVE-2026-0740, carries a CVSS score of 9.8, signaling a “complete site compromise” risk for the estimated 50,000 websites utilizing the tool.

The flaw was identified by researcher Sélim Lanouar (whattheslime) through the Wordfence Bug Bounty Program. The discovery, which earned a bounty of $2,145.00, highlights a fundamental breakdown in how the plugin handles temporary file transfers during the upload process.

According to the Wordfence report:

“This vulnerability makes it possible for an unauthenticated attacker to upload arbitrary files to a vulnerable site and achieve remote code execution.”

The root of the issue lies within the handle_upload function of the NF_FU_AJAX_Controllers_Uploads class. While the plugin attempted to validate file types for the source filename, it failed to perform the same checks on the destination filename during the move operation.

This oversight allows attackers to bypass safety filters by injecting a .php extension into the destination parameter. Furthermore, the lack of filename sanitization opens the door for path traversal, enabling an attacker to move their malicious file directly into the webroot directory.

The analysis warns:

“This makes it possible for unauthenticated attackers to upload arbitrary malicious PHP code and then access the file to trigger remote code execution on the server.”

As with all high-impact RCE vulnerabilities, the danger extends beyond simple data theft. An attacker with the ability to execute code can:

• Install Web Shells: Creating a permanent “backdoor” into the server.
• Modify Site Content: Defacing pages or inserting malicious links.
• Pivot to the Host: Using the compromised site as a staging ground for attacks on the underlying server or adjacent applications.

Wordfence notes that the vulnerability was “partially patched in version 3.3.25” but remained exploitable until the release of the full patch.

Administrators who believe they are safe because they updated recently should double-check their version numbers. The vulnerability affects all versions up to and including 3.3.26.

To secure your WordPress site, the recommendation is clear and urgent. Users must update to version 3.3.27 or higher as soon as possible.

Update: April 17th

Records indicate that attackers started exploiting the issue the same day it was disclosed, on April 6, 2026. The Wordfence Firewall has already blocked over 118,600 exploit attempts targeting this vulnerability.

Threat actors are attempting to upload various malicious .php and .htaccess files. Several specific exploit patterns have been identified in the wild:

• PDF Masquerading: One exploit involves uploading a file named lab.pdf with a valid PDF header but storing it as nf_lab_10e31d63.php. This serves as a delivery mechanism for a minimal “bashd3x” uploader that uses php_uname() to gather system info while avoiding common function restrictions.
• Image Magic Byte Bypass: Attackers have been seen uploading image.jpg files containing a GIF89a header, which are then stored as wp_cache.php. This minimal shell accepts a cmd parameter via $_GET or $_POST to execute commands.
• .htaccess Manipulation: Attackers are also uploading .htaccess files, URL-encoded as %2ehtaccess, to redefine how the server handles text files. These instructions can force the server to treat .txt files as executable PHP code, allowing shells to be hidden in files with harmless extensions.

The following IP addresses are currently among the most active in targeting this vulnerability:

• 124.248.183.139: Over 53,000 blocked requests.
• 152.42.221.239: Over 14,000 blocked requests.
• 124.108.54.86: Over 8,000 blocked requests.
• Other highly active addresses include 82.29.88.44, 143.198.143.185, and 185.213.83.150.

Administrators should also review their environments for the following Indicators of Compromise (IoCs):

• Suspicious Files: Review the webroot and /wp-content/uploads directories for any unknown or suspicious PHP or .htaccess files.
• Access Logs: Check for requests in the site’s access log matching /wp-admin/admin-ajax.php?action=nf_fu_upload.
• IP Activity: Monitor for requests originating from the offending IP addresses listed above.