The recent sequence of fixes for the Ninja Forms – File Upload extension matters because an incomplete February patch left thousands of WordPress sites exposed to unauthenticated remote code execution until a full remediation arrived on March 19, 2026. CVE-2026-0740 (CVSS 9.8) allows arbitrary file upload via the plugin’s handle_upload() AJAX endpoint; only version 3.3.27 contains the complete repair.

Patch timeline and which releases actually close CVE-2026-0740

On February 10, 2026 the vendor released version 3.3.25; that update attempted to address the issue but did not sanitize destination filenames or block executable extensions on the destination path. Attackers continued to exploit the same handle_upload() AJAX handler. The fully effective remediation arrived in version 3.3.27, published March 19, 2026, which adds basename() and WordPress sanitize_file_name() checks and enforces destination extension blacklisting.

Practical implication: sites running 3.3.25 or 3.3.26 should be treated as vulnerable even if they show “updated” status in dashboards. The official CVE number is CVE-2026-0740; administrators should confirm they are on 3.3.27 or later before assuming safety.

How the vulnerability actually works (why sanitizing the destination filename mattered)

Recommended Reading

Not in axios’s source — a hijacked maintainer account pushed a phantom dependency that installed a cross‑platform RAT

On March 31, 2026, attackers used a hijacked npm maintainer account to publish poisoned axios releases that exercised npm’s install lifecycle, not by altering axios source code but by adding a phantom dependency (plain-crypto-js@4.2.1) whose postinstall hook deployed a cross‑platform remote access trojan (RAT). The publication used stolen long‑lived npm tokens to bypass GitHub Actions […]

Not in axios’s source — a hijacked maintainer account pushed a phantom dependency that installed a cross‑platform RAT

Root cause: handle_upload() validated the source filename but failed to re-check the destination filename that the server uses to write the file. An attacker can supply crafted POST parameters to cause path traversal (for example ../) and a destination name ending in .php, placing a webshell in the webroot. Because the AJAX endpoint requires no authentication, an attacker can upload and execute arbitrary PHP without credentials or user interaction.

This path-traversal + destination-extension oversight is why the March 19 fix explicitly applies basename() and sanitize_file_name() to the destination and blocks executable extensions on the destination file. Those exact mitigations are what the incomplete February patch omitted, which is why it did not stop attacks in the wild.

Scope of impact and real-world exploitation signals

About 50,000 active WordPress sites use the Ninja Forms – File Upload add-on; installations include contact forms, recruitment portals, and donation pages. Wordfence reported thousands of exploitation attempts per day against this flaw, indicating automated scanning and active exploitation campaigns targeting the vulnerable AJAX endpoint.

Deployment friction matters: the add-on’s premium distribution channel and separate updater slowed adoption of 3.3.27. Sites that rely on WordPress’ plugin auto-update mechanism or that accept premium updates via vendor servers may still lag; that distribution reality, combined with the unauthenticated attack vector, raised the window for compromise between February and late March 2026.

Immediate operator actions, detection checkpoints, and short decision table

If you operate a site with the plugin, upgrade to 3.3.27 immediately; if an immediate upgrade isn’t possible, stop file uploads, restrict uploads to authenticated administrators, and ensure your server forbids execution from upload folders. Also audit recent uploads and webroot directories for unexpected .php files.

Quick Q&A

Is version 3.3.25 safe? No. The February 10 release (3.3.25) was a partial patch and does not fully mitigate CVE-2026-0740—treat it as vulnerable.

How can I reduce risk right now? Disable file uploads or restrict them to authenticated admins, enforce server-side no-execute on upload directories, and block common webshell extensions at the server or WAF level until you can upgrade to 3.3.27.

How do I tell if I was compromised? Check for unexpected .php files in the webroot and upload directories, review access logs for POST calls to admin-ajax.php with suspicious parameters, and scan for outbound connections or command execution indicators; if you find signs of compromise, restore from a clean backup and rotate credentials.