Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Unauthenticated network request with no interaction (AV:N/AC:L/PR:N/UI:N); arbitrary file read yields high confidentiality only, with no integrity or availability impact (C:H/I:N/A:N).
Primary rating from Vendor (Wordfence).
CVSS VectorVendor: Wordfence
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Lifecycle Timeline
2DescriptionCVE.org
The Ninja Forms - File Uploads plugin for WordPress is vulnerable to Arbitrary File Read via the attach_files() function in versions up to, and including, 3.3.29. This is due to the get_files_for_attachment() function accepting a raw attacker-controlled 'files' array when the process() method returns early due to a client-supplied saveProgress flag, bypassing all upload validation, path normalization, and database record creation steps, and allowing an attacker-supplied file_path value to reach wp_mail() as an email attachment with only a file_exists() check. This makes it possible for unauthenticated attackers to read arbitrary files on the affected site's server.
AnalysisAI
Arbitrary file read in the Ninja Forms - File Uploads WordPress add-on (versions ≤ 3.3.29) lets unauthenticated remote attackers exfiltrate any file readable by the web server. A client-supplied saveProgress flag causes the process() method to return early, so a raw attacker-controlled 'files' array reaches attach_files() and get_files_for_attachment() without upload validation, path normalization, or database record creation - an attacker-chosen file_path is then passed to wp_mail() as an email attachment guarded only by a file_exists() check. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires a target WordPress site running the Ninja Forms - File Uploads add-on (≤ 3.3.29) with at least one publicly reachable form containing a file-upload field, and the attacker must trigger the early-return path by supplying the client-controlled saveProgress flag so process() bails out and the raw 'files' array with an attacker-chosen file_path reaches wp_mail(); the referenced file only needs to pass a file_exists() check. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The CVSS 3.1 vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N (base 7.5) is internally consistent with the description: network-reachable, low-complexity, unauthenticated, no user interaction, high confidentiality impact only (no integrity or availability effect - this is read, not write or RCE). … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An unauthenticated attacker submits a crafted request to a public WordPress form that uses the File Uploads add-on, setting the saveProgress flag and injecting a 'files' entry whose file_path points via traversal to a sensitive file such as ../../../wp-config.php. The plugin skips validation, passes the path to wp_mail() as an attachment, and the file's contents are delivered to an attacker-controlled address, exposing database credentials and secret keys. … |
| Remediation | No vendor-released patch version was identified in the supplied data - the input confirms only that versions up to and including 3.3.29 are vulnerable, so administrators should consult the Wordfence advisory (https://www.wordfence.com/threat-intel/vulnerabilities/id/87d4dd4a-b1e2-4d08-aef1-77e58aa7531d?source=cve) and the plugin changelog for a fixed release above 3.3.29 and upgrade once it is published. … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
Within 24 hours: Identify all WordPress sites running Ninja Forms version ≤ 3.3.29 and immediately deactivate the plugin; review web server access logs for suspicious file requests targeting the plugin. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
More in Ninja Forms File Uploads
View allThe Ninja Forms - File Uploads Extension WordPress plugin is vulnerable to arbitrary file uploads due to insufficient in
Path Traversal and Unrestricted File Upload exists in the Ninja Forms plugin before 3.0.23 for WordPress (when the Uploa
The Ninja Forms - File Uploads Extension WordPress plugin is vulnerable to reflected cross-site scripting due to missing
The Ninja Forms - File Uploads plugin for WordPress is vulnerable to Stored Cross-Site Scripting via an uploaded file (e
Authorization bypass in the Ninja Forms - File Uploads WordPress plugin (all versions through 3.3.29) allows unauthentic
Same weakness CWE-22 – Path Traversal
View allSame technique Path Traversal
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-41275
GHSA-2298-wc49-vm4h