CVE Catalog

CVE-2026-13369

HighCVSS 7.5
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

Low risk
0.52%

40th percentile — higher than 40% of all known CVEs

Summary

The Ninja Forms - File Uploads plugin for WordPress up to version 3.3.29 is vulnerable to Arbitrary File Read. The attach_files() function improperly handles a raw attacker-controlled 'files' array, bypassing upload validation, path normalization, and database record creation, allowing an unauthenticated attacker to read arbitrary files on the server.

Risk Assessment

The risk involves reading sensitive configuration files, passwords, or user data without authentication, potentially leading to attack escalation and full site compromise.

Recommendation

Immediately update the Ninja Forms - File Uploads plugin to the latest available version that fixes this vulnerability. Temporarily disable the plugin if an update is not yet available.

Original NVD description (English source)

The Ninja Forms - File Uploads plugin for WordPress is vulnerable to Arbitrary File Read via the attach_files() function in versions up to, and including, 3.3.29. This is due to the get_files_for_attachment() function accepting a raw attacker-controlled 'files' array when the process() method returns early due to a client-supplied saveProgress flag, bypassing all upload validation, path normalization, and database record creation steps, and allowing an attacker-supplied file_path value to reach wp_mail() as an email attachment with only a file_exists() check. This makes it possible for unauthenticated attackers to read arbitrary files on the affected site's server.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS