Attackers Actively Exploiting Critical Vulnerability in Ninja Forms – File Upload Plugin

On April 6th, 2026, we publicly disclosed a critical Arbitrary File Upload vulnerability in Ninja Forms – File Upload, a WordPress plugin with an estimated 50,000 active installations. This vulnerability can be leveraged by unauthenticated attackers to upload arbitrary files, including PHP...

EUVD-2026-19572

The Ninja Forms - File Uploads plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the 'NFFUAJAXControllersUploads::handleupload' function in all versions up to, and including, 3.3.26. This makes it possible for unauthenticated attackers to upload...

CVE-2026-0740

The Ninja Forms - File Uploads plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the 'NFFUAJAXControllersUploads::handleupload' function in all versions up to, and including, 3.3.26. This makes it possible for unauthenticated attackers to upload...

50,000 WordPress Sites affected by Arbitrary File Upload Vulnerability in Ninja Forms – File Upload WordPress Plugin

On January 8th, 2026, we received a submission for an Arbitrary File Upload vulnerability in Ninja Forms - File Upload, a WordPress plugin with an estimated 50,000 active installations. This vulnerability makes it possible for an unauthenticated attacker to upload arbitrary files to a vulnerable...

VulnCheck KEV: CVE-2026-0740

The Ninja Forms - File Uploads plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the 'NFFUAJAXControllersUploads::handleupload' function in all versions up to, and including, 3.3.26. This makes it possible for unauthenticated attackers to upload...

PT-2026-30693

Name of the Vulnerable Software and Affected Versions Ninja Forms - File Uploads versions prior to 3.3.27 Description An issue in the Ninja Forms - File Uploads plugin allows unauthenticated attackers to upload arbitrary files, including PHP backdoors, which can lead to remote code execution and...

WordPress eCommerce Product Catalog Plugin <= 3.3.26 is vulnerable to Sensitive Data Exposure

Software eCommerce Product Catalog Type Plugin Vulnerable versions = 3.3.26 Fixed in 3.3.27 OWASP Top 10 A4: Insecure Design Classification Sensitive Data Exposure CVE CVE-2023-51688 Patch priority Low CVSS severity Low 5.3 Developer Claim ownership PSID d7f671a2c15c Credits Muhammad Daffa Requir...