Skip to main content

Ninja Forms File Uploads

6 CVEs product

Monthly

CVE-2026-12557 MEDIUM This Month

Authorization bypass in the Ninja Forms - File Uploads WordPress plugin (all versions through 3.3.29) allows unauthenticated remote attackers to read all plugin debug log entries stored in the wp_nf3_log database table or permanently delete every row from that table. The flaw originates from the plugin's failure to verify whether a requesting user holds any authorization before processing debug log actions, as confirmed by Wordfence with a direct reference to the vulnerable DebugLog.php route. No public exploit code has been identified at time of analysis, and the vulnerability is not listed in the CISA KEV catalog.

Authentication Bypass WordPress Ninja Forms File Uploads
NVD VulDB
CVSS 3.1
5.3
EPSS
0.2%
CVE-2026-13369 HIGH This Week

Arbitrary file read in the Ninja Forms - File Uploads WordPress add-on (versions ≤ 3.3.29) lets unauthenticated remote attackers exfiltrate any file readable by the web server. A client-supplied saveProgress flag causes the process() method to return early, so a raw attacker-controlled 'files' array reaches attach_files() and get_files_for_attachment() without upload validation, path normalization, or database record creation - an attacker-chosen file_path is then passed to wp_mail() as an email attachment guarded only by a file_exists() check. No public exploit has been identified at time of analysis; there is no CISA KEV listing and no EPSS score was supplied.

WordPress Path Traversal Ninja Forms File Uploads
NVD VulDB
CVSS 3.1
7.5
EPSS
0.5%
CVE-2024-1596 MEDIUM This Month

The Ninja Forms - File Uploads plugin for WordPress is vulnerable to Stored Cross-Site Scripting via an uploaded file (e.g. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

WordPress XSS Ninja Forms File Uploads
NVD
CVSS 3.1
6.1
EPSS
0.4%
CVE-2022-0889 HIGH This Week

The Ninja Forms - File Uploads Extension WordPress plugin is vulnerable to reflected cross-site scripting due to missing sanitization of the files filename parameter found in the. Rated high severity (CVSS 7.2), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

PHP XSS WordPress Ninja Forms File Uploads
NVD VulDB
CVSS 3.1
7.2
EPSS
2.0%
CVE-2022-0888 CRITICAL POC Act Now

The Ninja Forms - File Uploads Extension WordPress plugin is vulnerable to arbitrary file uploads due to insufficient input file type validation found in the ~/includes/ajax/controllers/uploads.php. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

PHP RCE WordPress File Upload Ninja Forms File Uploads
NVD GitHub VulDB
CVSS 3.1
9.8
EPSS
9.3%
CVE-2019-10869 HIGH POC THREAT This Week

Path Traversal and Unrestricted File Upload exists in the Ninja Forms plugin before 3.0.23 for WordPress (when the Uploads add-on is activated). Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, no authentication required. Public exploit code available and no vendor patch available.

PHP File Upload Path Traversal WordPress Ninja Forms File Uploads
NVD
CVSS 3.1
8.1
EPSS
13.0%
EPSS 0% CVSS 5.3
MEDIUM This Month

Authorization bypass in the Ninja Forms - File Uploads WordPress plugin (all versions through 3.3.29) allows unauthenticated remote attackers to read all plugin debug log entries stored in the wp_nf3_log database table or permanently delete every row from that table. The flaw originates from the plugin's failure to verify whether a requesting user holds any authorization before processing debug log actions, as confirmed by Wordfence with a direct reference to the vulnerable DebugLog.php route. No public exploit code has been identified at time of analysis, and the vulnerability is not listed in the CISA KEV catalog.

Authentication Bypass WordPress Ninja Forms File Uploads
NVD VulDB
EPSS 1% CVSS 7.5
HIGH This Week

Arbitrary file read in the Ninja Forms - File Uploads WordPress add-on (versions ≤ 3.3.29) lets unauthenticated remote attackers exfiltrate any file readable by the web server. A client-supplied saveProgress flag causes the process() method to return early, so a raw attacker-controlled 'files' array reaches attach_files() and get_files_for_attachment() without upload validation, path normalization, or database record creation - an attacker-chosen file_path is then passed to wp_mail() as an email attachment guarded only by a file_exists() check. No public exploit has been identified at time of analysis; there is no CISA KEV listing and no EPSS score was supplied.

WordPress Path Traversal Ninja Forms File Uploads
NVD VulDB
EPSS 0% CVSS 6.1
MEDIUM This Month

The Ninja Forms - File Uploads plugin for WordPress is vulnerable to Stored Cross-Site Scripting via an uploaded file (e.g. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

WordPress XSS Ninja Forms File Uploads
NVD
EPSS 2% CVSS 7.2
HIGH This Week

The Ninja Forms - File Uploads Extension WordPress plugin is vulnerable to reflected cross-site scripting due to missing sanitization of the files filename parameter found in the. Rated high severity (CVSS 7.2), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

PHP XSS WordPress +1
NVD VulDB
EPSS 9% CVSS 9.8
CRITICAL POC Act Now

The Ninja Forms - File Uploads Extension WordPress plugin is vulnerable to arbitrary file uploads due to insufficient input file type validation found in the ~/includes/ajax/controllers/uploads.php. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

PHP RCE WordPress +2
NVD GitHub VulDB
EPSS 13% CVSS 8.1
HIGH POC THREAT This Week

Path Traversal and Unrestricted File Upload exists in the Ninja Forms plugin before 3.0.23 for WordPress (when the Uploads add-on is activated). Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, no authentication required. Public exploit code available and no vendor patch available.

PHP File Upload Path Traversal +2
NVD

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy