A important vulnerability within the Ninja Kinds File Uploads premium add-on for WordPress permits importing arbitrary information with out authentication, which may result in distant code execution.
Recognized as CVE-2026-0740, the problem is presently exploited in assaults. Based on WordPress safety firm Defiant, its Wordfence firewall blocked greater than 3,600 assaults over the previous 24 hours.
With over 600,000 downloads, Ninja Kinds is a well-liked WordPress kind builder that lets customers create kinds with out coding utilizing a drag-and-drop interface. Its File Add extension, included in the identical suite, serves 90,000 prospects.
With a important severity score of 9.8 out of 10, the CVE-2026-0740 vulnerability impacts Ninja Kinds File Add variations as much as 3.3.26.
Based on Wordfence researchers, the flaw is attributable to an absence of validation of file varieties/extensions on the vacation spot filename, permitting an unauthenticated attacker to add arbitrary information, together with PHP scripts, and likewise manipulate filenames to allow path traversal.
“The perform doesn’t embrace any file kind or extension checks on the vacation spot filename earlier than the transfer operation within the weak model,” Wordfence explains.
“Because of this not solely protected information might be uploaded, however it’s also doable to add information with a .php extension.”
“Since no filename sanitization is utilized, the malicious parameter additionally facilitates path traversal, permitting the file to be moved even to the webroot listing.”
“This makes it doable for unauthenticated attackers to add arbitrary malicious PHP code after which entry the file to set off distant code execution on the server.”
The potential repercussions of exploitation are dire, together with the deployment of net shells and full web site takeover.
Discovery and fixes
The vulnerability was found by safety researcher Sélim Lanouar (whattheslime), who submitted it to Wordfence’s bug bounty program on January 8.
Following validation, Wordfence disclosed the complete particulars to the seller on the identical day and pushed momentary mitigations through firewall guidelines to its prospects.
After patch critiques and a partial repair on February 10, the seller launched a whole repair in model 3.3.27, accessible since March 19.
Provided that Wordfence is detecting hundreds of exploitation makes an attempt every day, customers of Ninja Kinds File Add are strongly really useful to prioritize upgrading to the most recent model.
Automated pentesting proves the trail exists. BAS proves whether or not your controls cease it. Most groups run one with out the opposite.
This whitepaper maps six validation surfaces, reveals the place protection ends, and gives practitioners with three diagnostic questions for any instrument analysis.
