CVE-2026-13369
HighCVSS 7.5Exploitation Probability (EPSS)
Low risk40th percentile — higher than 40% of all known CVEs
Summary
The Ninja Forms - File Uploads plugin for WordPress up to version 3.3.29 is vulnerable to Arbitrary File Read. The attach_files() function improperly handles a raw attacker-controlled 'files' array, bypassing upload validation, path normalization, and database record creation, allowing an unauthenticated attacker to read arbitrary files on the server.
Risk Assessment
The risk involves reading sensitive configuration files, passwords, or user data without authentication, potentially leading to attack escalation and full site compromise.
Recommendation
Immediately update the Ninja Forms - File Uploads plugin to the latest available version that fixes this vulnerability. Temporarily disable the plugin if an update is not yet available.
Original NVD description (English source)
The Ninja Forms - File Uploads plugin for WordPress is vulnerable to Arbitrary File Read via the attach_files() function in versions up to, and including, 3.3.29. This is due to the get_files_for_attachment() function accepting a raw attacker-controlled 'files' array when the process() method returns early due to a client-supplied saveProgress flag, bypassing all upload validation, path normalization, and database record creation steps, and allowing an attacker-supplied file_path value to reach wp_mail() as an email attachment with only a file_exists() check. This makes it possible for unauthenticated attackers to read arbitrary files on the affected site's server.

