The Ninja Forms File Uploads plugin for WordPress contains a critical file upload vulnerability that allows unauthenticated attackers to execute arbitrary code on the server.

The plugin fails to perform adequate file type validation within the handle_upload function. This allows an unauthenticated attacker to upload malicious files directly to the server, which can subsequently be executed to achieve full system compromise.

With a CVSS score of 9.8, this vulnerability represents an extreme risk. Successful exploitation grants an attacker the ability to execute arbitrary code, leading to total server compromise, data theft, and the potential for lateral movement within the network.

Immediate Action: Update the Ninja Forms File Uploads plugin to version 3.3.27 or higher immediately.

Proactive Monitoring: Inspect the uploads directory for unrecognized file types or suspicious scripts, and monitor server logs for unauthorized access requests to uploaded file paths.

Compensating Controls: Deploy a Web Application Firewall (WAF) with rules configured to block file uploads containing executable extensions or suspicious content signatures.

Public Exploit Available: true

This is a high-priority vulnerability that requires immediate attention. Given the ease of exploitation and the potential for remote code execution, all WordPress instances running affected versions of this plugin must be updated without delay.