Attackers are uploading arbitrary files — including executable PHP scripts — to WordPress sites running a vulnerable version of the Ninja Forms File Upload extension. A successful exploit gives an attacker the ability to run code on the server and take full control of the affected site, with no login or account required.

The vulnerability affects the File Upload add-on only, not the core Ninja Forms plugin itself. Versions up to and including 3.3.17 are exposed. The flaw carries a CVSS (Common Vulnerability Scoring System) score of 9.8 out of 10, placing it in the critical category. Version 3.3.18 resolves the issue.

A heavy steel vault door stands ajar, with a broken padlock on the floor beside it.

Attackers Exploit Critical Ninja Forms File Upload Flaw

Wordfence threat intelligence confirmed active exploitation attempts in its firewall data, meaning real attacks are already underway — this is not a theoretical risk. File upload functionality is inherently sensitive: without strict controls over accepted file types and storage locations, an upload field becomes a direct path for malicious code injection.

Attribute Value
Affected plugin Ninja Forms File Upload (add-on)
Vulnerable versions Up to and including 3.3.17
Patched version 3.3.18
CVSS score 9.8 (Critical)
Authentication required None — unauthenticated exploit
Exploitation status Actively exploited in the wild

If your site uses Ninja Forms with the File Upload extension, confirm the add-on is running version 3.3.18 or later. Because this is a premium add-on sold separately from the core Ninja Forms plugin, it does not update automatically through the standard WordPress plugin directory — you may need to download the update from your account on the Ninja Forms website and install it manually.

Sites protected by the Wordfence firewall received a rule to block exploitation attempts, though the rollout timeline differs between tiers. Premium users received the rule immediately upon discovery; free-tier users receive it after a delay. Applying the patch directly remains the most reliable fix and should not be skipped in favour of relying on firewall protection alone.

For agencies managing multiple client sites, a quick audit of which sites use file upload forms is worth the time. Any site collecting resumes, ID documents, media files, or similar uploads via Ninja Forms is potentially exposed until updated. The combination of a near-perfect CVSS score and confirmed active exploitation puts this squarely in the category of vulnerabilities that warrant same-day action.