Primary

Context

Ninja Forms File Uploads Plugin for WordPress Arbitrary File Upload Vulnerability

Vulnerability

Patched

A vulnerability in the Ninja Forms - File Uploads plugin for WordPress allows for arbitrary file uploads. This issue arises from inadequate file type validation in the 'NF_FU_AJAX_Controllers_Uploads::handle_upload' function, affecting all versions up to and including 3.3.26. The flaw enables unauthenticated attackers to upload arbitrary files to the server, potentially leading to remote code execution.

Impact

Exploitation of this vulnerability could allow for arbitrary file uploads, with the potential for remote code execution.

Remediation

Users can update to Ninja Forms - File Uploads version 3.3.27, which fully addresses this vulnerability. Version 3.3.25 also includes a partial fix.

Added: Apr 7, 2026, 5:19 AM

Updated: Apr 7, 2026, 5:19 AM

Vulnerability Rating

Custom Algorithm

spread

1.0

impact

7.5

exploitability

7.2

remediation

7.7

relevance

5.4

threat

0.5

urgency

2.9

incentive

4.2

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

1.0

impact

7.5

exploitability

7.2

remediation

7.7

relevance

5.4

threat

0.5

urgency

2.9

incentive

4.2

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Ninja Forms File Uploads Plugin for WordPress Arbitrary File Upload Vulnerability

Vulnerability

Impact

Remediation

Affected Products

Ninja Forms - File Uploads

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating