Skip to main content

Ninja Forms File Uploads CVE-2026-13369

| EUVDEUVD-2026-41275 HIGH
Path Traversal (CWE-22)
2026-07-02 Wordfence GHSA-2298-wc49-vm4h
7.5
CVSS 3.1 · Vendor: Wordfence
Share

Severity by source

Vendor (Wordfence) PRIMARY
7.5 HIGH
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
vuln.today AI
7.5 HIGH

Unauthenticated network request with no interaction (AV:N/AC:L/PR:N/UI:N); arbitrary file read yields high confidentiality only, with no integrity or availability impact (C:H/I:N/A:N).

3.1 AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
4.0 AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N

Primary rating from Vendor (Wordfence).

CVSS VectorVendor: Wordfence

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
None
Availability
None

Lifecycle Timeline

2
Analysis Generated
Jul 02, 2026 - 10:16 vuln.today
CVE Published
Jul 02, 2026 - 09:32 cve.org
HIGH 7.5

DescriptionCVE.org

The Ninja Forms - File Uploads plugin for WordPress is vulnerable to Arbitrary File Read via the attach_files() function in versions up to, and including, 3.3.29. This is due to the get_files_for_attachment() function accepting a raw attacker-controlled 'files' array when the process() method returns early due to a client-supplied saveProgress flag, bypassing all upload validation, path normalization, and database record creation steps, and allowing an attacker-supplied file_path value to reach wp_mail() as an email attachment with only a file_exists() check. This makes it possible for unauthenticated attackers to read arbitrary files on the affected site's server.

AnalysisAI

Arbitrary file read in the Ninja Forms - File Uploads WordPress add-on (versions ≤ 3.3.29) lets unauthenticated remote attackers exfiltrate any file readable by the web server. A client-supplied saveProgress flag causes the process() method to return early, so a raw attacker-controlled 'files' array reaches attach_files() and get_files_for_attachment() without upload validation, path normalization, or database record creation - an attacker-chosen file_path is then passed to wp_mail() as an email attachment guarded only by a file_exists() check. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Identify public form using File Uploads add-on
Delivery
Submit request with saveProgress flag set
Exploit
Inject traversal file_path in files array
Execution
Bypass validation via early return
Persist
wp_mail attaches arbitrary file
Impact
Receive exfiltrated file contents

Vulnerability AssessmentAI

Exploitation Exploitation requires a target WordPress site running the Ninja Forms - File Uploads add-on (≤ 3.3.29) with at least one publicly reachable form containing a file-upload field, and the attacker must trigger the early-return path by supplying the client-controlled saveProgress flag so process() bails out and the raw 'files' array with an attacker-chosen file_path reaches wp_mail(); the referenced file only needs to pass a file_exists() check. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 3.1 vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N (base 7.5) is internally consistent with the description: network-reachable, low-complexity, unauthenticated, no user interaction, high confidentiality impact only (no integrity or availability effect - this is read, not write or RCE). … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An unauthenticated attacker submits a crafted request to a public WordPress form that uses the File Uploads add-on, setting the saveProgress flag and injecting a 'files' entry whose file_path points via traversal to a sensitive file such as ../../../wp-config.php. The plugin skips validation, passes the path to wp_mail() as an attachment, and the file's contents are delivered to an attacker-controlled address, exposing database credentials and secret keys. …
Remediation No vendor-released patch version was identified in the supplied data - the input confirms only that versions up to and including 3.3.29 are vulnerable, so administrators should consult the Wordfence advisory (https://www.wordfence.com/threat-intel/vulnerabilities/id/87d4dd4a-b1e2-4d08-aef1-77e58aa7531d?source=cve) and the plugin changelog for a fixed release above 3.3.29 and upgrade once it is published. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours: Identify all WordPress sites running Ninja Forms version ≤ 3.3.29 and immediately deactivate the plugin; review web server access logs for suspicious file requests targeting the plugin. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-13369 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy