A critical vulnerability in the Ninja Forms File Uploads premium add-on for WordPress allows uploading arbitrary files without authentication, which can lead to remote code execution. Identified as CVE-2026-0740, the issue is currently exploited in attacks. According to WordPress security company Defiant, its Wordfence firewall blocked more than 3,600 attacks over the past 24 hours. With over 600,000 downloads, Ninja Forms is a popular WordPress form builder that lets users create forms without coding using a drag-and-drop interface. Its File Upload extension, included in the same suite, serves 90,000 customers. With a critical severity rating of 9.8 out of 10, the CVE-2026-0740 vulnerability affects Ninja Forms File Upload versions up to 3.3.26. According to Wordfence researchers, the flaw is caused by a lack of validation of file types/extensions on the destination filename, allowing an unauthenticated attacker to upload arbitrary files, including PHP scripts, and also manipulate filenames to enable path traversal. “The function does not include any file type or extension checks on the destination filename before the move operation in the vulnerable version,” Wordfence explains. “This means that not only safe files can be uploaded, but it is also possible to upload files with a .php extension.” “Since no filename sanitization is utilized, the malicious parameter also facilitates path traversal, allowing the file to be moved even to the webroot directory.”