Arbitrary File Read Vulnerability in Ninja Forms - File Uploads Plugin
CVE-2026-13369

7.5HIGH

Key Information:

Vendor

WordPress

Vendor
CVE Published:
2 July 2026

What is CVE-2026-13369?

The Ninja Forms - File Uploads plugin for WordPress is susceptible to arbitrary file read due to improper validation in the attach_files() function. Versions up to and including 3.3.29 allow an attacker to manipulate the 'files' array after an early termination of the process() method triggered by a client-supplied saveProgress flag. This bypasses essential upload validation and path normalization, enabling an attacker-controlled file_path to be used with wp_mail() for email attachments, leading to the exposure of sensitive files on the server.

Affected Version(s)

Ninja Forms - File Uploads 0 <= 3.3.29

References

CVSS V3.1

Score:
7.5
Severity:
HIGH
Confidentiality:
High
Integrity:
None
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

daroo
.