CVE-2026-0740

CRITICAL EXPLOITED NUCLEI

Ninja Forms - File Upload <= 3.3.26 - Unauthenticated Arbitrary File Upload

Title source: cna
STIX 2.1

Exploitation Summary

CVE-2026-0740 has been observed exploited in the wild (reported by VulnCheck KEV). EIP tracks 9 public exploits from researchers including selim.lanouar, adminlove520, a24ac1. A Nuclei detection template is also available.

AI-analyzed exploit summary This exploit demonstrates an unauthenticated PHP file upload vulnerability in Ninja Forms Uploads (CVE-2026-0740). It uploads a webshell by leveraging a nonce generation flaw and path traversal in the file upload mechanism.

Description

The Ninja Forms - File Uploads plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the 'NF_FU_AJAX_Controllers_Uploads::handle_upload' function in all versions up to, and including, 3.3.26. This makes it possible for unauthenticated attackers to upload arbitrary files on the affected site's server which may make remote code execution possible. Note: The vulnerability was partially patched in version 3.3.25 and fully patched in version 3.3.27.

Exploits (9)

exploitdb WORKING POC
by selim.lanouar · bashwebappsmultiple
https://www.exploit-db.com/exploits/52560

This exploit demonstrates an unauthenticated PHP file upload vulnerability in Ninja Forms Uploads (CVE-2026-0740). It uploads a webshell by leveraging a nonce generation flaw and path traversal in the file upload mechanism.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Ninja Forms Uploads 3.3.24
No auth needed
Prerequisites: WordPress with Ninja Forms Uploads plugin installed · Access to wp-admin/admin-ajax.php
devstral-2 · analyzed May 14, 2026 Full analysis →
github WORKING POC 3 stars
by adminlove520 · pythonpoc
https://github.com/adminlove520/CVE-Poc_All_in_One/tree/main/2026/CVE-2026-0740

This repository contains a functional exploit for CVE-2026-0740, an unauthenticated arbitrary file upload vulnerability in Ninja Forms - File Upload plugin for WordPress. The exploit automates the process of obtaining a nonce, uploading a disguised PHP shell, and renaming it to achieve remote code execution.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Ninja Forms - File Upload plugin for WordPress <= 3.3.26
No auth needed
Prerequisites: WordPress site with vulnerable Ninja Forms - File Upload plugin · list.txt file containing target URLs
devstral-2 · analyzed May 04, 2026 Full analysis →
nomisec WORKING POC
by a24ac1 · poc
https://github.com/a24ac1/CVE-2026-0740

This repository contains a functional exploit for CVE-2026-0740, targeting a vulnerability in Ninja Forms (WordPress plugin). The exploit uploads a malicious PHP shell by abusing the file upload functionality via admin-ajax.php, leveraging a nonce retrieval mechanism.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Ninja Forms (WordPress plugin)
No auth needed
Prerequisites: WordPress site with vulnerable Ninja Forms plugin · Access to admin-ajax.php endpoint
devstral-2 · analyzed May 28, 2026 Full analysis →
nomisec WORKING POC
by zycoder0day · remote
https://github.com/zycoder0day/CVE-2026-0740

This is a functional exploit for CVE-2026-0740 targeting Ninja Forms Upload, leveraging path traversal to upload arbitrary files and achieve remote code execution. The script automates nonce retrieval, file upload with traversal, and validation of the uploaded file.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Ninja Forms Upload (WordPress plugin)
No auth needed
Prerequisites: WordPress site with vulnerable Ninja Forms Upload plugin · network access to target
devstral-2 · analyzed May 12, 2026 Full analysis →
nomisec STUB
by BastianXploited · poc
https://github.com/BastianXploited/CVE-2026-0740

The repository contains only a README.md file with minimal content (just the CVE identifier) and no exploit code or technical details. It appears to be a placeholder or stub.

Classification
Stub 100%
Attack Type
Other
Complexity
Trivial
Reliability
Theoretical
Target: unknown
No auth needed
devstral-2 · analyzed May 10, 2026 Full analysis →
github WORKING POC
by murrez · pythonremote
https://github.com/murrez/CVE-2026-0740

This repository contains a functional Python script that exploits a file upload vulnerability in the WordPress Ninja Forms plugin (CVE-2026-0740). The script automates the process of retrieving a nonce and uploading a malicious PHP shell to vulnerable targets listed in a file.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: WordPress Ninja Forms plugin
No auth needed
Prerequisites: list of target URLs in list.txt · Python 3 · requests library
devstral-2 · analyzed Apr 26, 2026 Full analysis →
nomisec WORKING POC
by 0xgh057r3c0n · remote
https://github.com/0xgh057r3c0n/CVE-2026-0740

This repository contains a functional Python exploit for CVE-2026-0740, targeting an unauthenticated arbitrary file upload vulnerability in Ninja Forms File Uploads <= 3.3.26. The exploit includes detailed logging, proxy support, and path traversal capabilities.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Ninja Forms File Uploads <= 3.3.26
No auth needed
Prerequisites: Target URL · File to upload · Optional: Path traversal destination
devstral-2 · analyzed Apr 17, 2026 Full analysis →
nomisec WORKING POC
by whattheslime · remote
https://github.com/whattheslime/CVE-2026-0740

This repository contains a functional Python exploit for CVE-2026-0740, an unauthenticated arbitrary file upload vulnerability in Ninja Forms File Uploads <= 3.3.26. The exploit leverages a path traversal technique to upload files to arbitrary locations on the target system.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Ninja Forms File Uploads <= 3.3.26
No auth needed
Prerequisites: Target URL · File to upload · Path traversal destination
devstral-2 · analyzed Apr 10, 2026 Full analysis →
nomisec WORKING POC
by xShadow-Here · remote
https://github.com/xShadow-Here/CVE-2026-0740

This repository contains a functional exploit for CVE-2026-0740, an unauthenticated arbitrary file upload vulnerability in Ninja Forms - File Upload plugin for WordPress. The exploit automates the process of fetching a nonce, uploading a disguised PHP shell, and renaming it to achieve remote code execution.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Ninja Forms - File Upload plugin for WordPress <= 3.3.26
No auth needed
Prerequisites: WordPress site with vulnerable Ninja Forms - File Upload plugin · list.txt file containing target URLs
devstral-2 · analyzed Apr 09, 2026 Full analysis →

Nuclei Templates (1)

Ninja Forms File Uploads <= 3.3.26 - Arbitrary File Upload
CRITICALVERIFIEDby whattheslime
Shodan: http.html:"nfpluginsettings.js?ver="
FOFA: body="nfpluginsettings.js?ver="

References (2)

Core 2

Scores

CVSS v3 9.8
EPSS 0.1741
EPSS Percentile 95.2%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment
Exploitation none
Automatable yes
Technical Impact total

Details

VulnCheck KEV 2026-04-06
CWE
CWE-434
Status published
Products (1)
SaturdayDrive/Ninja Forms - File Uploads < 3.3.26
Published Apr 07, 2026
Tracked Since Apr 07, 2026