CVE-2026-13369
Last modified
CVE-2026-13369 is a high-severity vulnerability rated 7.5/10 on the CVSS scale. The Ninja Forms - File Uploads plugin for WordPress is vulnerable to Arbitrary File Read via the attach_files() function in versions up to, and including, 3.3.29. This is due to the get_files_for_attachment() function accepting a raw attacker-controlled 'files' array when the process() method returns early due to a client-supplied saveProgress flag, bypassing all upload validation, path normalization, and database record creation steps, and allowing an attacker-supplied file_path value to reach wp_mail() as an email attachment with only a file_exists() check. EPSS estimates a 0.52% chance of exploitation in the next 30 days.
Description
The Ninja Forms - File Uploads plugin for WordPress is vulnerable to Arbitrary File Read via the attach_files() function in versions up to, and including, 3.3.29. This is due to the get_files_for_attachment() function accepting a raw attacker-controlled 'files' array when the process() method returns early due to a client-supplied saveProgress flag, bypassing all upload validation, path normalization, and database record creation steps, and allowing an attacker-supplied file_path value to reach wp_mail() as an email attachment with only a file_exists() check. This makes it possible for unauthenticated attackers to read arbitrary files on the affected site's server.
Metrics
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Weakness Enumeration
Affected Software
Source: CNA advisory (CVE.org). NVD analysis pending.
| Vendor | Product | Versions |
|---|---|---|
| SaturdayDrive | Ninja Forms - File Uploads | <= 3.3.29 |
References
Timeline
- Published
- Last Modified
- Status
- Deferred
Frequently Asked Questions
What is CVE-2026-13369?
How severe is CVE-2026-13369?
How do I fix CVE-2026-13369?
Related CVEs from 2026
- CVE-2026-13351Zephyr's IPv6 network stack can be prevented from receiving …7.5
- CVE-2026-13353The WP Ultimate CSV Importer – WordPress Import & Export for…8.8
- CVE-2026-13356A malicious webpage could interrupt a pending navigation by …6.3
- CVE-2026-13357The Houzez Property Feed plugin for WordPress is vulnerable …4.9
- CVE-2026-1336The AI ChatBot with ChatGPT and Content Generator by AYS plu…5.3
- CVE-2026-13368WatchGuard Fireware OS contains a race condition leading to …9.2
- CVE-2026-1337Insufficient escaping of unicode characters in query log in …5.4
- CVE-2026-13371An authenticated administrator can trigger a denial-of-servi…6.9
- CVE-2026-13372Incorrect link resolution by display name in the custom Powe…7.2
- CVE-2026-13373Improper Neutralization of Input During Web Page Generation …4.8
- CVE-2026-13374Improper Neutralization of Input During Web Page Generation …4.8
- CVE-2026-13375Improper Neutralization of Input During Web Page Generation …4.8
Are you affected by CVE-2026-13369?
Run a free Strix scan to check your systems for this vulnerability.
Scan your code nowSource: NVD / NIST
