A critical arbitrary file upload vulnerability in Ninja Forms – File Upload Plugin has been identified, exposing thousands of WordPress sites to potential compromise.

The issue affects plugin versions up to 3.3.26 and allows unauthenticated attackers to upload malicious files, potentially leading to remote code execution (RCE).

The flaw carries a CVSS score of 9.8. It stems from insufficient file validation in the plugin’s upload handling function, enabling attackers to bypass restrictions and place harmful files directly on a server.

The vulnerability was discovered by security researcher Sélim Lanouar, known as whattheslime, who reported it through the Wordfence Bug Bounty Program. He reportedly received a $2145 reward for the finding.

Analysis of the plugin code revealed that while some validation checks exist, they fail to properly verify file types and extensions during the upload process. This gap allows attackers to:

• Upload files with dangerous extensions such as .php

• Manipulate filenames to bypass safeguards

• Use path traversal techniques to place files in sensitive directories

• Execute malicious code remotely after upload

As a result, attackers could gain full control of affected websites, often by deploying webshells or similar tools.

Read more on WordPress security vulnerabilities: Compromised WordPress Sites Deliver ClickFix Attacks in Global Infostealer Campaign

In an advisory published on Monday, Wordfence said it acted quickly following the report on January 8, 2026. "We validated the report and confirmed the proof-of-concept [PoC] exploit," the team said.

The plugin developer issued a partial fix on February 10, followed by a complete patch on March 19 with version 3.3.27.

Users are strongly advised to update immediately to the latest version. Delays in patching could leave sites open to exploitation, particularly given the ease of attack and lack of authentication required.