CVE-2026-0740 appears in two items covering the same vulnerability: one describes the free Ninja Forms File Uploads plugin (CISA KEV confirmed, priority 0.85, CVSS 9.8, ~50,000 sites at risk) and one covers the premium Ninja Forms File Upload add-on (CISA KEV unconfirmed in that snapshot, CVSS 9.5, ~90,000 customers). Both items confirm unauthenticated arbitrary file upload enabling webshell deployment and full server RCE, with active exploitation reported by Wordfence; the CVSS and KEV discrepancies between items likely reflect different data capture timestamps and should be reconciled against the current NVD entry. The fully patched version is 3.3.27 — version 3.3.25 contains an incomplete patch with a confirmed bypass. Immediate actions: update to 3.3.27 across all WordPress environments, audit wp-content/uploads for existing PHP webshells, and apply WAF rules blocking unauthenticated uploads to Ninja Forms AJAX endpoints as an interim control.