A critical vulnerability in the Ninja Forms File Uploads add-on for WordPress is being actively exploited, with security firm Wordfence blocking over 3,600 attacks in a single 24-hour window. The flaw, tracked as CVE-2026-0740 and carrying a CVSS score of 9.8, lets attackers upload malicious files to a site without any authentication at all. Once they’re in, it’s full remote code execution — meaning complete site takeover.

If you run a hotel, restaurant, bar, or venue with a WordPress website that uses Ninja Forms for bookings, enquiries, or contact forms, this one’s worth paying attention to. Around 50,000 WordPress sites use the affected plugin, and hospitality businesses are among the heaviest users of form-based plugins for guest communication and reservations. A compromised website doesn’t just mean downtime — it can expose customer data, damage your brand, and potentially put you offside with the Privacy Act if personal information is leaked.

The fix is straightforward: update the Ninja Forms File Uploads add-on to version 3.3.27 or later. If you’re not sure which version you’re running, log into your WordPress dashboard, head to Plugins, and check. If you can’t update immediately, consider temporarily disabling file upload functionality on your forms until you can. It’s also worth running a malware scan on your site to check nothing’s already been planted.

If you’re not sure whether your website is affected or need a hand checking your WordPress plugins are up to date, get in touch with All IT Services. We manage WordPress environments for a number of hospitality clients and can sort this quickly.