CVE-2022-0888 CRITICAL

CVE-2022-0888: Ninja Forms - File Uploads Extension <= 3.3.0 - Arbitrary File Upload

Vendor Saturdaydrive
Product Ninja Forms - File Uploads
Weakness CWE-434 · Unrestricted file upload
Published March 23, 2022
Last update April 8, 2026

CVSS base score

9.8/10
Attack vector Network
Attack complexity Low
Privileges required None
User interaction None
Confidentiality High
Integrity High

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

What the vulnerability does

01Description

The Ninja Forms - File Uploads Extension WordPress plugin is vulnerable to arbitrary file uploads due to insufficient input file type validation found in the ~/includes/ajax/controllers/uploads.php file which can be bypassed making it possible for unauthenticated attackers to upload malicious files that can be used to obtain remote code execution, in versions up to and including 3.3.0

Key dates

02Disclosure timeline

March 23, 2022 CVE published
April 8, 2026 Record updated