Add template for CVE-2026-0740

[whattheslime]

PR Information

As the original discoverer of this vulnerability, I'm submitting this template to help the community detect affected installations.

• Added CVE-2026-0740 - Ninja Forms File Uploads <= 3.3.26 - Unauthenticated Arbitrary File Upload (CVSS 9.8)

• References:

  • https://www.wordfence.com/blog/2026/04/50000-wordpress-sites-affected-by-arbitrary-file-upload-vulnerability-in-ninja-forms-file-upload-wordpress-plugin/
  • https://www.cve.org/CVERecord?id=CVE-2026-0740

Template validation

• Validated with a host running a vulnerable version and/or configuration (True Positive)
• Validated with a host running a patched version and/or configuration (avoid False Positive)

Validated on a local WordPress 6.9.4 instance with Ninja Forms File Uploads 3.3.26 (vulnerable) and 3.3.27 (patched).

Additional Details (leave it blank if not applicable)

Version detection with httpx on vulnerable plugin (3.3.26):

httpx -u http://localhost:8000 -path /wp-content/plugins/ninja-forms-uploads/readme.txt -ms 'Stable tag' -er 'Stable tag:\s[\d\.]+'

    __    __  __       _  __
   / /_  / /_/ /_____ | |/ /
  / __ \/ __/ __/ __ \|   /
 / / / / /_/ /_/ /_/ /   |
/_/ /_/\__/\__/ .___/_/|_|
             /_/

                projectdiscovery.io

[INF] Current httpx version v1.7.4 (outdated)
[WRN] UI Dashboard is disabled, Use -dashboard option to enable
http://localhost:8000/wp-content/plugins/ninja-forms-uploads/readme.txt [Stable tag: 3.3.26]

nuclei output:

nuclei -u http://localhost:8000 -t CVE-2026-0740.yaml

                     __     _
   ____  __  _______/ /__  (_)
  / __ \/ / / / ___/ / _ \/ /
 / / / / /_/ / /__/ /  __/ /
/_/ /_/\__,_/\___/_/\___/_/   v3.7.1

                projectdiscovery.io

[INF] Current nuclei version: v3.7.1 (latest)
[INF] Current nuclei-templates version: v10.4.1 (latest)
[INF] New templates added in latest release: 76
[INF] Templates loaded for current scan: 1
[WRN] Loading 1 unsigned templates for scan. Use with caution.
[INF] Targets loaded for current scan: 1
[CVE-2026-0740] [http] [critical] http://localhost:8000/wp-content/uploads/ninja-forms/tmp/3C2Wm6zoUT7xHNMC8mffGyyZbmt.txt ["3.3.26"]
[INF] Scan completed in 584.09881ms. 1 matches found.

False positive test on patched version (3.3.27):

httpx -u http://localhost:8000 -path /wp-content/plugins/ninja-forms-uploads/readme.txt -ms 'Stable tag' -er 'Stable tag:\s[\d\.]+'

    __    __  __       _  __
   / /_  / /_/ /_____ | |/ /
  / __ \/ __/ __/ __ \|   /
 / / / / /_/ /_/ /_/ /   |
/_/ /_/\__/\__/ .___/_/|_|
             /_/

                projectdiscovery.io

[INF] Current httpx version v1.7.4 (outdated)
[WRN] UI Dashboard is disabled, Use -dashboard option to enable
http://localhost:8000/wp-content/plugins/ninja-forms-uploads/readme.txt [Stable tag: 3.3.27]

nuclei -u http://localhost:8000 -t CVE-2026-0740.yaml

                     __     _
   ____  __  _______/ /__  (_)
  / __ \/ / / / ___/ / _ \/ /
 / / / / /_/ / /__/ /  __/ /
/_/ /_/\__,_/\___/_/\___/_/   v3.7.1

                projectdiscovery.io

[INF] Current nuclei version: v3.7.1 (latest)
[INF] Current nuclei-templates version: v10.4.1 (latest)
[INF] New templates added in latest release: 76
[INF] Templates loaded for current scan: 1
[WRN] Loading 1 unsigned templates for scan. Use with caution.
[INF] Targets loaded for current scan: 1
[INF] Scan completed in 230.621545ms. 0 matches found.

• Fofa query: body="nfpluginsettings.js?ver="
• Shodan query: http.html:"nfpluginsettings.js?ver="

Additional References:

• Nuclei Template Creation Guideline
• Nuclei Template Matcher Guideline
• Nuclei Template Contribution Guideline
• PD-Community Discord server