A critical vulnerability in the **Ninja Forms** File Uploads premium add-on for **WordPress** allows uploading arbitrary files without authentication, which can lead to remote code execution. Identified as **CVE-2026-0740**, the issue is currently being exploited in attacks. According to WordPress security company **Defiant**, its **Wordfence** firewall blocked more than 3,600 attacks over the past 24 hours. With over 600,000 downloads, **Ninja Forms** is a popular WordPress form builder that lets users create forms without coding using a drag-and-drop interface. Its File Upload extension serves 90,000 customers. With a critical severity rating of 9.8 out of 10, the **CVE-2026-0740** vulnerability affects Ninja Forms File Upload versions up to 3.3.26. According to **Wordfence** researchers, the flaw is caused by a lack of validation of file types/extensions on the destination filename, allowing an unauthenticated attacker to upload arbitrary files, including PHP scripts, and also manipulate filenames to enable path traversal. “The function does not include any file type or extension checks on the destination filename before the move operation in the vulnerable version,” **Wordfence** explains. “This means that not only safe files can be uploaded, but it is also possible to upload files with a .php extension.” “Since no filename sanitization is utilized, the malicious parameter also facilitates path traversal, allowing the file to be moved even to the webroot directory.” “This makes it possible for unauthenticated attackers to upload arbitrary malicious PHP code and then access the file to trigger remote code execution on the server.” The potential repercussions of exploitation are dire, including the deployment of web shells and complete site takeover. ### Discovery and fixes The vulnerability was discovered by security researcher **Sélim Lanouar** (whattheslime), who submitted it to **Wordfence’s** bug bounty program on January 8. Following validation, **Wordfence** disclosed the full details to the vendor on the same day and pushed temporary mitigations via firewall rules to its customers. After patch reviews and a partial fix on February 10, the vendor released a complete fix in version 3.3.27, available since March 19. Given that **Wordfence** is detecting thousands of exploitation attempts daily, users of Ninja Forms File Upload are strongly recommended to prioritize upgrading to the latest version.