By rssfeeds-admin 
Tracked as CVE-2026-0740, the flaw carries a CVSS score of 9.8, indicating maximum severity.
The plugin, widely used to allow visitors to upload files such as documents and images, is now at the center of a high-risk attack surface affecting thousands of active installations.
The vulnerability was discovered by security researcher Sélim Lanouar, who reported it through the Wordfence Bug Bounty Program on January 8, 2026.
In recognition of the severity and impact of the finding, Wordfence awarded a bounty of $2,145. The case highlights the critical role of independent researchers in identifying exploitable flaws before threat actors can weaponize them.
Technical Analysis
The issue stems from improper validation in the plugin’s file-upload handling mechanism, specifically in its AJAX controller.
While the plugin performs an initial file type check on the uploaded file’s original name, it fails to validate the file extension of the final destination filename during the save operation.
This oversight allows attackers to bypass security restrictions entirely. By manipulating the upload request, an unauthenticated user can upload malicious files, including executable PHP scripts, disguised as legitimate content.
In addition, the vulnerability is compounded by insufficient path sanitization. Attackers can exploit path traversal techniques to force uploaded files into sensitive directories, including the web root. This enables direct execution of malicious payloads via a browser request.
Once executed, the attacker gains Remote Code Execution (RCE), effectively taking full control of the affected server.
From there, threat actors can deploy webshells, extract database credentials, inject malicious SEO spam, or even launch ransomware attacks across connected systems.
Following disclosure, Wordfence implemented virtual firewall protections for its premium users to block exploitation attempts. Meanwhile, the plugin developer released a partial fix in version 3.3.25 on February 10, 2026.
The vulnerability was fully patched in version 3.3.27, released on March 19, 2026. However, any installations running versions up to 3.3.26 remain vulnerable and at immediate risk of compromise.
Security experts strongly advise WordPress administrators to update the plugin without delay. Given the ease of exploitation and the lack of authentication requirements, this vulnerability is highly likely to be targeted in automated attacks.
With tens of thousands of websites exposed, CVE-2026-0740 serves as a stark reminder of the risks posed by insecure file upload mechanisms and the importance of timely patch management in maintaining web security.
Follow us on Google News , LinkedIn and X to Get More Instant Updates. Set Cyberpress as a Preferred Source in Google
The post 50,000+ WordPress Sites at Risk from Critical Ninja Forms RCE Flaw appeared first on Cyber Security News.
Discover more from RSS Feeds Cloud
Subscribe to get the latest posts sent to your email.