CVE-2026-0740 is a critical unauthenticated arbitrary file upload vulnerability in the Ninja Forms File Uploads add-on for WordPress affecting all versions up to and including 3.3.26. The flaw is caused by missing validation and sanitization of the destination filename during upload handling in the NF_FU_AJAX_Controllers_Uploads logic, including the handle_upload() path and its delegated processing. While the plugin validates the source filename, it fails to properly validate the user-controlled destination filename and its extension before moving the uploaded file. This allows an attacker to supply a dangerous executable extension and, in some cases, path traversal sequences to influence where the file is written. As a result, an unauthenticated attacker can upload arbitrary files, including server-executable PHP payloads, to web-accessible locations on the target server. Versions 3.3.25 and 3.3.26 introduced incomplete protections, but the issue was not fully resolved until version 3.3.27, which added stronger destination filename sanitization, basename handling, and extension blocking.
Mallory correlates every CVE against your assets, your vendors, and active adversary campaigns. Know which vulnerabilities matter for you, not just which ones are loud.
What it means. What to do now. Patch path, mitigations, and the assume-compromise checklist.
What an attacker gets, and what they’ve been doing with it.
If you can’t patch tonight, do this now.
Patch, then assume compromise.
5 valid exploits after Mallory filtered fakes, detection scripts, and README-only repos (3 hidden).
Single-file Python exploit targeting a WordPress Ninja Forms upload vulnerability labeled CVE-2026-0740. The script is an interactive, multithreaded exploitation tool rather than a mere detector. It accepts either a file of targets or manual target input, accepts a local payload file, and then concurrently attacks each target. For each host, it normalizes the URL to try HTTPS then HTTP, requests a nonce from /wp-admin/admin-ajax.php using the nf_fu_get_new_nonce action, and then submits a multipart upload using nf_fu_upload. The exploit abuses the image_jpg parameter to set a traversal-based destination path using the hardcoded prefix ../../../../ plus the supplied filename. If the server response indicates the temporary name matches the traversal path, the script constructs a public URL under /wp-content/uploads/ninja-forms/tmp/ and fetches it to validate success. Validation is tailored to a specific uploaded web shell or file manager payload by checking for 'File Manager' markers in the HTTP response body. Successful URLs are appended to vuln_ninja.txt. Repository structure is minimal: one Python script containing constants, logging helpers, target loading, URL normalization, upload/validation logic, threaded worker orchestration, and the CLI main entry point.
Repository is a small standalone Python exploit tool consisting of three files: README.md, a large target list (list.txt), and the main script (ninja.py). The script is not part of a known exploit framework. Its purpose is mass exploitation of WordPress sites using Ninja Forms upload-related AJAX actions. For each target URL from list.txt, it constructs the endpoint /wp-admin/admin-ajax.php, requests a nonce using action=nf_fu_get_new_nonce with hardcoded FORM_ID=7 and FIELD_ID=7, then attempts a multipart upload using action=nf_fu_upload. The uploaded content is a PHP web shell/uploader stored under the server-side name murrez.php while the multipart filename is disguised as doc.pdf with MIME type application/pdf. If the JSON response indicates success and references the expected tmp_name, the script assumes the shell is reachable at /wp-content/uploads/ninja-forms/tmp/murrez.php and appends that URL to shell.txt. The code disables TLS verification, suppresses urllib3 warnings, uses a generic Mozilla user-agent, and includes basic exception handling and progress output. This is an operational mass-upload exploit with a hardcoded payload rather than a detection script.
This repository contains a standalone Python exploit and a companion Nuclei template for CVE-2026-0740, an unauthenticated arbitrary file upload vulnerability in the WordPress Ninja Forms File Uploads plugin up to version 3.3.26. The repository structure is small and focused: one Python exploit script (CVE-2026-0740.py), one YAML detection/verification template (CVE-2026-0740.yaml), plus README and license files. The main exploit capability is unauthenticated file upload via the plugin’s WordPress AJAX interface. Based on the README and YAML flow, exploitation works by first requesting a nonce from /wp-admin/admin-ajax.php using the nf_fu_get_new_nonce action, then submitting a multipart upload using nf_fu_upload. The README indicates support for path traversal through a destination parameter, allowing more controlled placement of the uploaded file. The operator provides the payload file locally, such as a PHP web shell, and the script attempts to confirm the resulting accessible URL. This makes the exploit operational rather than a simple proof of concept. The Python script is a custom exploit tool, not tied to a major exploitation framework. It uses httpx and httpx-socks, supports custom headers, configurable timeout, optional SOCKS5 proxying, optional SSL verification, colored logging, and command-line arguments for target URL, local file, and destination path. The visible code shows client setup, proxy handling, and invocation of an exploit() routine; the README confirms the intended workflow and options. The YAML file is a Nuclei-style template, but the repository as a whole is not primarily a framework module; it serves as both exploit and detection/verification material. Fingerprintable target endpoints include the WordPress AJAX endpoint /wp-admin/admin-ajax.php, the upload verification path under /wp-content/uploads/ninja-forms/tmp/, and the AJAX action names nf_fu_get_new_nonce and nf_fu_upload. The exploit targets web-accessible WordPress installations running the vulnerable plugin. Successful exploitation can result in arbitrary file placement and possible remote code execution if the uploaded file is executable by the server.
This repository is a small standalone Python exploit for CVE-2026-0740 affecting the WordPress Ninja Forms - File Uploads extension up to version 3.3.26. The repository contains one primary code file (CVE-2026-0740.py), a README with exploitation guidance and examples, and a minimal requirements.txt listing httpx and socksio. The exploit is not part of a larger offensive framework. Its workflow is straightforward: it accepts a target URL, a local file to upload, an optional destination path/filename, optional proxy settings, custom headers, and timeout values. It then sends a POST request to the WordPress AJAX endpoint /wp-admin/admin-ajax.php with action=nf_fu_get_new_nonce and a randomly generated field_id to obtain a valid upload nonce without authentication. After receiving the nonce, it performs a second multipart POST to the same endpoint with action=nf_fu_upload, attaching the attacker-controlled file while masquerading it as image.jpg and abusing the image_jpg POST parameter to control the final destination filename/path. The main exploit capability is unauthenticated arbitrary file upload. Because the destination filename is attacker-controlled, the exploit can be used to write files with dangerous extensions or traverse directories, depending on the vulnerable plugin version. The README explicitly documents that path traversal works on <= 3.3.24 and that later vulnerable versions still permit dangerous extension manipulation until 3.3.27 fully fixes the issue. The exploit itself does not generate a payload; instead, it uploads any user-supplied file. The README demonstrates using a PHP webshell payload to achieve remote command execution via a URL such as /wp-content/uploads/ninja-forms/ws.php?cmd=id. Notable fingerprintable targets and indicators include the WordPress AJAX endpoint /wp-admin/admin-ajax.php, the AJAX actions nf_fu_get_new_nonce and nf_fu_upload, the abused POST parameter image_jpg, and the upload path /wp-content/uploads/ninja-forms/tmp/. The script also uses a default traversal destination of ../../../, which is a strong indicator of intended arbitrary path placement. Overall, this is a real, functional exploit PoC with operational capability: it automates nonce retrieval and malicious upload, but leaves payload selection to the operator.
Repository contains a README and one Python exploit script, shadow.py. The script is a mass-exploitation tool for CVE-2026-0740 affecting the WordPress Ninja Forms - File Uploads plugin <= 3.3.26. Its workflow is: read target URLs from list.txt, POST to /wp-admin/admin-ajax.php with action=nf_fu_get_new_nonce using hardcoded form_id=7 and field_id=7, parse the returned nonce, then POST again to the same endpoint with action=nf_fu_upload and a multipart file upload. The uploaded content is a PHP web uploader disguised as doc.pdf with MIME type application/pdf, while the POST parameter doc_pdf requests server-side renaming to shadow.php. On success, the script constructs the shell URL under /wp-content/uploads/ninja-forms/tmp/shadow.php, prints it, and appends it to shell.txt. The exploit is operational rather than a simple PoC because it includes a working payload and supports batch targeting, but payload customization is minimal and hardcoded. The main capability is unauthenticated arbitrary file upload leading to remote code execution via a web-accessible PHP shell.
Products and vendors Mallory has correlated with this vulnerability. Open in Mallory to drill down to specific CPE configurations and version ranges.
Vendor-confirmed product mapping. Mallory continuously reconciles this list against your asset inventory.
39 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
A vulnerability affecting Ninja Forms uploads, listed among the flaws targeted by the operation.
A vulnerability in the Ninja Forms WordPress plugin that was directly targeted in the WP-SHELLSTORM campaign.
A publicly known vulnerability affecting the Ninja Forms WordPress plugin that is being exploited in a large-scale campaign targeting CMS platforms for webshell deployment.
A path traversal and arbitrary file upload vulnerability in Ninja Forms File Uploads that yielded validated compromises in the campaign.
Query your assets running an affected version, and investigate the blast radius.
Every observed campaign linking this CVE to a named adversary.
Malware families riding this exploit, with evidence and IOCs.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Cross-references every affected SKU, including bundled OEM variants.
Community discussion across Reddit, Mastodon, and other social sources.