Arbitrary File Read Vulnerability in Ninja Forms - File Uploads Plugin
CVE-2026-13369
7.5HIGH
What is CVE-2026-13369?
The Ninja Forms - File Uploads plugin for WordPress is susceptible to arbitrary file read due to improper validation in the attach_files() function. Versions up to and including 3.3.29 allow an attacker to manipulate the 'files' array after an early termination of the process() method triggered by a client-supplied saveProgress flag. This bypasses essential upload validation and path normalization, enabling an attacker-controlled file_path to be used with wp_mail() for email attachments, leading to the exposure of sensitive files on the server.
Affected Version(s)
Ninja Forms - File Uploads 0 <= 3.3.29