Threat Insight

Critical Vulnerability in “Ninja Forms – File Upload” WordPress Plugin (CVE-2026-07409)

A critical security vulnerability has been identified in the Ninja Forms – File Upload plugin for WordPress, affecting an estimated 50,000 active websites.

2026-04-10
Insight

The vulnerability is an arbitrary file upload flaw caused by insufficient validation of destination filenames during the upload process. An attacker does not need valid credentials to exploit the issue, making it particularly high risk for publicly accessible WordPress sites using the affected plugin[1].

If exploited, this vulnerability could allow attackers to achieve remote code execution on the affected server, upload webshells or other malicious files and potentially gain full control of the WordPress site and its underlying environment.

CVE

CVE-2026-0740

Affected Products

Ninja Forms – File Upload plugin versions up to and including 3.3.26.

Exploitation

A proof-of-concept exploit is publicly available[1].

Recommended Actions

Truesec recommends that you apply mitigations based on vendor instructions[1]:

Immediately update the Ninja Forms – File Upload plugin to version 3.3.27 or later
Review WordPress sites for signs of unauthorized file uploads or suspicious activity
Ensure additional security controls (such as web application firewalls) are enabled where possible
References

[1] https://www.wordfence.com/blog/2026/04/50000-wordpress-sites-affected-by-arbitrary-file-upload-vulnerability-in-ninja-forms-file-upload-wordpress-plugin/
[2] https://www.cve.org/CVERecord?id=CVE-2026-0740

Stay ahead with cyber insights

Stay ahead in cybersecurity! Sign up for Truesec’s newsletter to receive the latest insights, expert tips, and industry news directly to your inbox. Join our community of professionals and stay informed about emerging threats, best practices, and exclusive updates from Truesec.