Ninja Forms - File Uploads <= 3.3.29 - Unauthenticated Arbitrary File Read via File Upload Field 'files[].data.file_path' Parameter

2026-07-01 20:41
daroo

Strategic Overview

Status
Patched in 3.3.30
Affected Version<= 3.3.29
CVSS7.5High
CVECVE-2026-13369
View all Ninja Forms - File Uploads vulnerabilities

Vulnerability Overview

The Ninja Forms - File Uploads plugin for WordPress is vulnerable to Arbitrary File Read via the attach_files() function in versions up to, and including, 3.3.29. This is due to the get_files_for_attachment() function accepting a raw attacker-controlled 'files' array when the process() method returns early due to a client-supplied saveProgress flag, bypassing all upload validation, path normalization, and database record creation steps, and allowing an attacker-supplied file_path value to reach wp_mail() as an email attachment with only a file_exists() check. This makes it possible for unauthenticated attackers to read arbitrary files on the affected site's server.

Technical Analysis

REMEDIATION: Update to version 3.3.30, or a newer patched version --- IDENTIFIER: CWE-22 (Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')) The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory.

External References

Vulnerability data © Defiant, Inc., provided under the Wordfence Intelligence T&C

Ninja Forms - File Uploads <= 3.3.29 - Unauthenticated Arbitrary File Read via File Upload Field 'files[].data.file_path' Parameter (CVE-2026-13369)