CVE-2026-13369 Overview
CVE-2026-13369 is an arbitrary file read vulnerability in the Ninja Forms - File Uploads plugin for WordPress. The flaw affects all versions up to and including 3.3.29. Unauthenticated attackers can read arbitrary files on the server by abusing the attach_files() function. The vulnerability results from the get_files_for_attachment() function accepting an attacker-controlled files array when the process() method returns early due to a client-supplied saveProgress flag. This bypass allows arbitrary file_path values to reach wp_mail() as email attachments with only a file_exists() check [CWE-22].
Critical Impact
Unauthenticated remote attackers can read sensitive files including wp-config.php, private keys, and system configuration files hosted on affected WordPress servers.
Affected Products
- Ninja Forms - File Uploads plugin for WordPress
- All versions up to and including 3.3.29
- WordPress sites integrating the plugin with Ninja Forms core
Discovery Timeline
- 2026-07-02 - CVE-2026-13369 published to the National Vulnerability Database
- 2026-07-02 - Last updated in NVD database
Technical Details for CVE-2026-13369
Vulnerability Analysis
The vulnerability exists in the file attachment flow of the Ninja Forms - File Uploads plugin. When a form submission includes a saveProgress flag, the process() method exits early before executing upload validation, path normalization, and database record creation. Despite this early return, the downstream attach_files() function still invokes get_files_for_attachment(), which trusts the raw files array supplied in the request.
Because the attacker controls the file_path value in that array, the plugin passes arbitrary server paths directly to wp_mail(). The only guard is a file_exists() check, which does not restrict paths to the intended upload directory. When the form submission triggers an email notification, WordPress attaches the requested file and delivers it to the recipient address configured in the form, which the attacker often controls.
Root Cause
The root cause is missing input validation and improper trust in client-supplied state. The saveProgress short-circuit path skips sanitization routines but leaves the attachment logic reachable. get_files_for_attachment() reuses attacker-provided paths instead of resolving file identifiers against the database record created during a legitimate upload.
Attack Vector
An unauthenticated attacker submits a crafted Ninja Forms request containing the saveProgress flag and a files array with malicious file_path entries such as /etc/passwd or /var/www/html/wp-config.php. The attacker sets a form email field to a mailbox they control. When the form processes the submission, wp_mail() attaches the referenced file and sends it to the attacker.
The vulnerability mechanism is described in the Wordfence Vulnerability Report and the plugin source at attachments.php.
Detection Methods for CVE-2026-13369
Indicators of Compromise
- Ninja Forms submissions containing a saveProgress parameter combined with a populated files array in the request body
- Outbound emails from the WordPress host containing attachments with paths outside the plugin upload directory
- Web server access logs showing repeated POST requests to admin-ajax.php with the nf_ajax_submit action from a single source
- Unexpected reads of sensitive files such as wp-config.php, .env, or SSH key files by the PHP process user
Detection Strategies
- Inspect POST bodies to Ninja Forms endpoints for file_path values referencing absolute paths or traversal sequences like ../
- Correlate form submissions containing saveProgress=true with subsequent outbound SMTP traffic containing attachments
- Monitor PHP file access telemetry for reads of system files originating from the web server process
- Alert on Ninja Forms email notifications delivered to external addresses when the attachment content-type matches server configuration files
Monitoring Recommendations
- Enable WordPress debug logging and audit wp_mail() invocations that include attachments
- Deploy web application firewall rules that inspect Ninja Forms AJAX requests for the vulnerable parameter combination
- Track file access patterns from the www-data or equivalent PHP user against a baseline of expected upload directory activity
How to Mitigate CVE-2026-13369
Immediate Actions Required
- Update the Ninja Forms - File Uploads plugin to a version above 3.3.29 as soon as the vendor releases a patched build
- Disable the plugin on production sites until an updated version is installed
- Rotate any credentials, API keys, or secrets stored in wp-config.php and other server-side configuration files
- Review outbound mail logs for suspicious attachments sent from the WordPress host since deployment of the affected plugin
Patch Information
At the time of publication, the NVD entry lists no fixed version. Administrators should monitor the plugin repository and the Wordfence advisory for a patched release addressing the attach_files() validation gap.
Workarounds
- Restrict access to admin-ajax.php endpoints handling Ninja Forms submissions using IP allowlisting or authentication where feasible
- Deploy WAF signatures blocking requests to Ninja Forms that combine saveProgress with a files[][file_path] parameter
- Apply strict open_basedir PHP restrictions to prevent the web server process from reading files outside the WordPress document root
- Remove sensitive files from web-accessible directories and enforce filesystem permissions that deny read access to the PHP user for non-essential files
# Example open_basedir restriction in php.ini or vhost configuration
php_admin_value open_basedir "/var/www/html/:/tmp/"
# Example WAF rule (ModSecurity) blocking the vulnerable parameter combination
SecRule ARGS:saveProgress "@streq true" \
"id:1013369,phase:2,deny,status:403,\
chain,msg:'Block Ninja Forms File Uploads arbitrary file read CVE-2026-13369'"
SecRule ARGS_NAMES "@rx files\[.*\]\[file_path\]" "t:none"
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

