LeakyCreds
NewInstant webhook alerts now available ā€” notified within seconds of any credential detection.Learn more ā†’
Home / Vulnerability Intelligence / CVE-2026-0740

CVE-2026-0740 - Vulnerability Analysis

CriticalCVSS: 9.8

Last Updated: April 7, 2026

Ninja Forms - File Uploads - Unrestricted File Upload

Published: April 7, 2026Updated: April 7, 2026KEVRemote Exploitable

Overview

Ninja Forms - File Uploads plugin for WordPress <= 3.3.26 contains an unrestricted file upload vulnerability caused by missing file type validation in NF_FU_AJAX_Controllers_Uploads::handle_upload, letting unauthenticated attackers upload arbitrary files, exploit requires no authentication.

Severity & Score

Severity: Critical
CVSS Score: 9.8
EPSS Score: 8.3%(Probability of exploitation in next 30 days)

Impact

Unauthenticated attackers can upload arbitrary files, potentially leading to remote code execution and full server compromise.

Mitigation

Update to version 3.3.27 or later.

References

Social Media Activity(4 posts)

OffSequence
OffSequence
@offseq
Apr 7, 2026

šŸšØ CRITICAL: CVE-2026-0740 in Ninja Forms - File Uploads (ā‰¤3.3.26) lets unauthenticated attackers upload arbitrary files, enabling RCE. Patch to 3.3.27+ now! https://radar.offseq.com/threat/cve-2026-0740-cwe-434-unrestricted-upload-of-file--9ec11832 #OffSeq #WordPress #Vuln #BlueTeam

View original post
TheHackerWire
TheHackerWire
@thehackerwire
Apr 7, 2026

šŸ”“ CVE-2026-0740 - Critical (9.8) The Ninja Forms - File Uploads plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the 'NF_FU_AJAX_Controllers_Uploads::handle_upload' function in all versions up to, and including, 3.3.26. This make... šŸ”— https://www.thehackerwire.com/vulnerability/CVE-2026-0740/ #CVE #vulnerability #infosec #cybersecurity #security #Tenda #patchstack

View original post
OffSequence
OffSequence
@offseq
Apr 7, 2026

šŸšØ CRITICAL: CVE-2026-0740 in Ninja Forms - File Uploads (ā‰¤3.3.26) lets unauthenticated attackers upload arbitrary files, enabling RCE. Patch to 3.3.27+ now! https://radar.offseq.com/threat/cve-2026-0740-cwe-434-unrestricted-upload-of-file--9ec11832 #OffSeq #WordPress #Vuln #BlueTeam

View original post
TheHackerWire
TheHackerWire
@thehackerwire
Apr 7, 2026

šŸ”“ CVE-2026-0740 - Critical (9.8) The Ninja Forms - File Uploads plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the 'NF_FU_AJAX_Controllers_Uploads::handle_upload' function in all versions up to, and including, 3.3.26. This make... šŸ”— https://www.thehackerwire.com/vulnerability/CVE-2026-0740/ #CVE #vulnerability #infosec #cybersecurity #security #Tenda #patchstack

View original post

Related Resources

Details

CVE ID
CVE-2026-0740
Severity
Critical
CVSS Score
9.8
Type
unrestricted_file_upload
Status
unconfirmed
EPSS
8.3%
Social Posts
4

CWE

  • CWE-434

CVSS Metrics

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

EPSS Score

8.3%Probability of exploitation in the next 30 days