A vital vulnerability within the Ninja Kinds File Uploads premium add-on for WordPress permits importing arbitrary information with out authentication, which may result in distant code execution.
Recognized as CVE-2026-0740, the difficulty is at present exploited in assaults. In keeping with WordPress security firm Defiant, its Wordfence firewall blocked greater than 3,600 assaults over the previous 24 hours.
With over 600,000 downloads, Ninja Kinds is a well-liked WordPress type builder that lets customers create types with out coding utilizing a drag-and-drop interface. Its File Add extension, included in the identical suite, serves 90,000 prospects.
With a vital severity score of 9.8 out of 10, the CVE-2026-0740 vulnerability impacts Ninja Kinds File Add variations as much as 3.3.26.
In keeping with Wordfence researchers, the flaw is attributable to an absence of validation of file varieties/extensions on the vacation spot filename, permitting an unauthenticated attacker to add arbitrary information, together with PHP scripts, and likewise manipulate filenames to allow path traversal.
“The perform doesn’t embrace any file kind or extension checks on the vacation spot filename earlier than the transfer operation within the weak model,” Wordfence explains.
“Which means not solely protected information may be uploaded, however it’s also potential to add information with a .php extension.”
“Since no filename sanitization is utilized, the malicious parameter additionally facilitates path traversal, permitting the file to be moved even to the webroot listing.”
“This makes it potential for unauthenticated attackers to add arbitrary malicious PHP code after which entry the file to set off distant code execution on the server.”
The potential repercussions of exploitation are dire, together with the deployment of internet shells and full web site takeover.
Discovery and fixes
The vulnerability was found by security researcher Sélim Lanouar (whattheslime), who submitted it to Wordfence’s bug bounty program on January 8.
Following validation, Wordfence disclosed the total particulars to the seller on the identical day and pushed non permanent mitigations through firewall guidelines to its prospects.
After patch critiques and a partial repair on February 10, the seller launched an entire repair in model 3.3.27, accessible since March 19.
Provided that Wordfence is detecting 1000’s of exploitation makes an attempt each day, customers of Ninja Kinds File Add are strongly really useful to prioritize upgrading to the newest model.
Automated pentesting proves the trail exists. BAS proves whether or not your controls cease it. Most groups run one with out the opposite.
This whitepaper maps six validation surfaces, exhibits the place protection ends, and gives practitioners with three diagnostic questions for any device analysis.
