A critical vulnerability in the Ninja Forms File Uploads premium add-on for WordPress allows uploading arbitrary files without authentication, which can lead to remote code execution.

Identified as CVE-2026–0740, the issue is currently exploited in attacks. According to WordPress security company Defiant, its Wordfence firewall blocked more than 3,600 attacks over the past 24 hours.

With over 600,000 downloads, Ninja Forms is a popular WordPress form builder that lets users create forms without coding using a drag-and-drop interface. Its File Upload extension, included in the same suite, serves 90,000 customers.