A crucial vulnerability within the Ninja Types File Uploads premium add-on for WordPress permits importing arbitrary recordsdata with out authentication, which might result in distant code execution.
Recognized as CVE-2026-0740, the problem is presently exploited in assaults. In accordance with WordPress safety firm Defiant, its Wordfence firewall blocked greater than 3,600 assaults over the previous 24 hours.
With over 600,000 downloads, Ninja Types is a well-liked WordPress type builder that lets customers create varieties with out coding utilizing a drag-and-drop interface. Its File Add extension, included in the identical suite, serves 90,000 prospects.
With a crucial severity score of 9.8 out of 10, the CVE-2026-0740 vulnerability impacts Ninja Types File Add variations as much as 3.3.26.
In accordance with Wordfence researchers, the flaw is brought on by a scarcity of validation of file varieties/extensions on the vacation spot filename, permitting an unauthenticated attacker to add arbitrary recordsdata, together with PHP scripts, and in addition manipulate filenames to allow path traversal.
“The operate doesn’t embrace any file sort or extension checks on the vacation spot filename earlier than the transfer operation within the susceptible model,” Wordfence explains.
“Which means not solely protected recordsdata will be uploaded, however additionally it is attainable to add recordsdata with a .php extension.”
“Since no filename sanitization is utilized, the malicious parameter additionally facilitates path traversal, permitting the file to be moved even to the webroot listing.”
“This makes it attainable for unauthenticated attackers to add arbitrary malicious PHP code after which entry the file to set off distant code execution on the server.”
The potential repercussions of exploitation are dire, together with the deployment of internet shells and full web site takeover.
Discovery and fixes
The vulnerability was found by safety researcher Sélim Lanouar (whattheslime), who submitted it to Wordfence’s bug bounty program on January 8.
Following validation, Wordfence disclosed the complete particulars to the seller on the identical day and pushed non permanent mitigations through firewall guidelines to its prospects.
After patch critiques and a partial repair on February 10, the seller launched a whole repair in model 3.3.27, out there since March 19.
Provided that Wordfence is detecting hundreds of exploitation makes an attempt day by day, customers of Ninja Types File Add are strongly really useful to prioritize upgrading to the newest model.
Automated pentesting proves the trail exists. BAS proves whether or not your controls cease it. Most groups run one with out the opposite.
This whitepaper maps six validation surfaces, exhibits the place protection ends, and offers practitioners with three diagnostic questions for any device analysis.
