CVE-2022-0889 in File Uploads Extension Plugin
Summary
by MITRE • 03/24/2022
The Ninja Forms - File Uploads Extension WordPress plugin is vulnerable to reflected cross-site scripting due to missing sanitization of the files filename parameter found in the ~/includes/ajax/controllers/uploads.php file which can be used by unauthenticated attackers to add malicious web scripts to vulnerable WordPress sites, in versions up to and including 3.3.12.
If you want to get best quality of vulnerability data, you may have to visit VulDB.
Analysis
by VulDB Data Team • 04/08/2026
The vulnerability identified as CVE-2022-0889 affects the Ninja Forms - File Uploads Extension WordPress plugin, specifically targeting versions up to and including 3.3.12. This represents a critical security flaw that exposes WordPress sites to reflected cross-site scripting attacks, allowing unauthenticated attackers to inject malicious scripts into the target environment. The vulnerability stems from insufficient input validation and sanitization practices within the plugin's ajax controller implementation, creating a persistent attack vector that can be exploited without requiring any authentication credentials from the attacker.
The technical flaw manifests in the ~/includes/ajax/controllers/uploads.php file where the filename parameter received from file upload operations lacks proper sanitization measures. This parameter is directly incorporated into the page response without adequate filtering or encoding, creating a reflected XSS vulnerability that can be triggered when a victim visits a maliciously crafted URL containing the attacker's payload. The vulnerability classification aligns with CWE-79, which specifically addresses Cross-Site Scripting flaws in web applications, where inadequate input validation allows malicious scripts to be executed in the context of the victim's browser session.
The operational impact of this vulnerability extends beyond simple script injection, as it provides attackers with the capability to execute arbitrary JavaScript code within the victim's browser context. This can lead to session hijacking, credential theft, defacement of content, and potentially full compromise of the WordPress site if the attacker can leverage the vulnerability to gain additional access. The reflected nature of the vulnerability means that the malicious payload is reflected back to the user through the application's response, making it particularly dangerous as it can be delivered via email links, social media posts, or other web interactions that direct users to the vulnerable page.
Security professionals should note that this vulnerability can be exploited by attackers without requiring any authentication or administrative privileges, making it particularly concerning for WordPress installations that rely on third-party plugins for file upload functionality. The attack surface is broad as it affects any site using the vulnerable plugin version, and the reflected nature means that the attack can be delivered through various vectors including phishing campaigns, compromised websites, or social engineering tactics. Organizations should immediately implement mitigations including plugin updates, input validation enforcement, and monitoring for suspicious activity patterns that may indicate exploitation attempts.
Mitigation strategies should prioritize immediate plugin version updates to the latest secure release, while also implementing additional security measures such as web application firewalls, input sanitization rules, and comprehensive monitoring of file upload activities. The vulnerability demonstrates the importance of proper parameter validation and input sanitization practices as outlined in the OWASP Top Ten security principles, particularly focusing on the prevention of XSS attacks through proper encoding and validation of user-supplied data. Organizations should also consider implementing Content Security Policy headers to further protect against potential exploitation attempts, as this vulnerability could be leveraged as part of broader attack chains within compromised environments.