← All stories

Wordfence Blog

50,000 WordPress Sites affected by Arbitrary File Upload Vulnerability in Ninja Forms – File Upload WordPress Plugin

István Márton · 2026-04-06 · Read original ↗

ATT&CK techniques detected

5 predictions

T1190Exploit Public-Facing Application

97%

"complete site compromise through the use of webshells and other techniques. wordfence firewall the following graphic demonstrates the steps to exploitation an attacker might take and at which point the wordfence firewall would block an attacker from successfully exploiting the vu…"

Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.

No matches for .

Loading techniques…

T1190Exploit Public-Facing Application

91%

"##mp _ name ' ] = $ new _ tmp _ name ; $ this - > _ data [ ' files ' ] [ $ key ] [ ' new _ tmp _ key ' ] = $ file _ key ; } } although the function includes a file type check in the source filename within the _ validate ( ) function in the nf _ fu _ ajax _ controllers _ uploads c…"

Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.

No matches for .

Loading techniques…

T1190Exploit Public-Facing Application

87%

"the partially patched version of the plugin, 3. 3. 25, was released. march 19, 2026 – the fully patched version of the plugin, 3. 3. 27, was released. conclusion in this blog post, we detailed an arbitrary file upload vulnerability within the ninja forms – file upload plugin affe…"

Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.

No matches for .

Loading techniques…

T1190Exploit Public-Facing Application

58%

"50, 000 wordpress sites affected by arbitrary file upload vulnerability in ninja forms – file upload wordpress plugin on january 8th, 2026, we received a submission for an arbitrary file upload vulnerability in ninja forms – file upload, a wordpress plugin with an estimated 50, 0…"

Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.

No matches for .

Loading techniques…

T1588.006Vulnerabilities

34%

"##fence response users received a firewall rule to protect against any exploits targeting this vulnerability on january 8, 2026. sites using the free version of wordfence received the same protection 30 days later on february 7, 2026. we provided full disclosure details to the sa…"

Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.

No matches for .

Loading techniques…

Summary

On January 8th, 2026, we received a submission for an Arbitrary File Upload vulnerability in Ninja Forms - File Upload, a WordPress plugin with an estimated 50,000 active installations. This vulnerability makes it possible for an unauthenticated attacker to upload arbitrary files to a vulnerable site and achieve remote code execution.

The post 50,000 WordPress Sites affected by Arbitrary File Upload Vulnerability in Ninja Forms – File Upload WordPress Plugin appeared first on Wordfence.