Overview
- Security vendors report active attacks against the Ninja Forms File Uploads add-on, which Defiant says runs on roughly 50,000 sites, with Wordfence blocking more than 3,600 attempts in 24 hours.
- The bug lets anyone upload files without logging in by skipping checks on the destination filename, which enables .php uploads and path traversal into the webroot for remote code execution.
- The vulnerability is tracked as CVE-2026-0740 with a critical 9.8 severity score, it affects versions up to 3.3.26, and a complete fix is available in version 3.3.27.
- Sélim Lanouar reported the flaw through Wordfence’s bug bounty program in January, prompting same-day firewall mitigations and leading to a full vendor patch released March 19.
- Site owners should update to 3.3.27, turn on firewall rules, and scan for unfamiliar PHP files or web shells to catch any compromise before returning sites to normal use.