CVE-2016-1209

CRITICAL

Ninja Forms <2.9.42.1 - Code Injection

Title source: llm

Exploitation Summary

EIP tracks 2 public exploits for CVE-2016-1209. PoCs published by Metasploit, James Golovich, rastating, including Metasploit module exploits/multi/http/wp_ninja_forms_unauthenticated_file_upload.

AI-analyzed exploit summary This Metasploit module exploits an unauthenticated file upload vulnerability in WordPress Ninja Forms (CVE-2016-1209), allowing arbitrary PHP code execution by uploading a malicious file via a vulnerable V3 preview mode.

Description

The Ninja Forms plugin before 2.9.42.1 for WordPress allows remote attackers to conduct PHP object injection attacks via crafted serialized values in a POST request.

Exploits (2)

exploitdb WORKING POC VERIFIED

by Metasploit · rubywebappsmultiple

https://www.exploit-db.com/exploits/41692

View Code ZIP pw:eip

This Metasploit module exploits an unauthenticated file upload vulnerability in WordPress Ninja Forms (CVE-2016-1209), allowing arbitrary PHP code execution by uploading a malicious file via a vulnerable V3 preview mode.

Classification

Working Poc 100%

Attack Type

Rce

Complexity

Moderate

Reliability

Reliable

Target: WordPress Ninja Forms 2.9.36 to 2.9.42

No auth needed

Prerequisites: Target must have Ninja Forms plugin installed and vulnerable version active · Access to a page hosting a Ninja Forms form

MITRE ATT&CK

T1190 - Exploit Public-Facing Application T1203 - Exploitation for Client Execution

devstral-2 · analyzed Feb 16, 2026 Full analysis →

metasploit WORKING POC EXCELLENT

by James Golovich, rastating · rubypocphp

https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/multi/http/wp_ninja_forms_unauthenticated_file_upload.rb