Ninja Forms File Uploads
Monthly
Unauthenticated arbitrary file upload in Ninja Forms - File Uploads plugin for WordPress (versions ≤3.3.26) enables remote code execution through missing file type validation in the upload handler. Attackers can upload malicious PHP files without authentication, achieving complete server compromise. CVSS 9.8 (Critical) with CVSS:3.1/AV:N/AC:L/PR:N/UI:N indicates network-based exploitation requiring no privileges or user interaction. Fully patched in version 3.3.27 following a partial fix in 3.3.25. No public exploit identified at time of analysis, though the vulnerability class (CWE-434: Unrestricted Upload of File with Dangerous Type) is well-understood and readily exploitable.
Unauthenticated arbitrary file upload in Ninja Forms - File Uploads plugin for WordPress (versions ≤3.3.26) enables remote code execution through missing file type validation in the upload handler. Attackers can upload malicious PHP files without authentication, achieving complete server compromise. CVSS 9.8 (Critical) with CVSS:3.1/AV:N/AC:L/PR:N/UI:N indicates network-based exploitation requiring no privileges or user interaction. Fully patched in version 3.3.27 following a partial fix in 3.3.25. No public exploit identified at time of analysis, though the vulnerability class (CWE-434: Unrestricted Upload of File with Dangerous Type) is well-understood and readily exploitable.