CVE-2026-0740 (CVSS 9.8, CISA KEV confirmed, priority 0.85) affects the Ninja Forms File Uploads WordPress plugin through version 3.3.26, allowing unauthenticated attackers to upload arbitrary PHP files and achieve remote code execution — a second intelligence item for the same CVE reports over 3,600 blocked attack attempts in a single 24-hour window across an estimated 90,000 affected sites. The vulnerability chains missing authentication (CWE-306), unrestricted file upload (CWE-434), and path traversal (CWE-22), enabling persistent web shell deployment. Organizations must upgrade to version 3.3.27 immediately and audit upload directories for existing web shells; disable the plugin if patching cannot occur within four hours.