The AJAX endpoint pattern keeps exposing your sites to hackers

Five separate critical vulnerabilities have hit Joomla and WordPress in the last two weeks, and they all share the same root cause: AJAX endpoints that authenticate the request but never authorize the action. Astroid Framework, Novarain, Smart Slider 3, Joomla core's com_ajax, and now Ninja Forms File Uploads — same blind spot, different plugin.

I've written a deep dive into the pattern explaining why this keeps happening and what to look for. Then yesterday Wordfence disclosed CVE-2026-0740 in Ninja Forms File Uploads — CVSS 9.8 unauth RCE on around 50,000 sites — which is the pattern playing out in real time.

Also in this issue: four major WordPress plugins (Elementor, Yoast, WPForms, Really Simple Security) shipped patches in March, a piece on why Joomla's compat plugins are technical debt, and a guide to detecting locked Joomla scheduled tasks before they silently break things.

All guides are free to read on the blog

AJAX endpoints are a big CMS security blind spot

WordPress's admin-ajax.php and Joomla's com_ajax were designed as lightweight pass-throughs. They check that you're logged in, then hand the request off to the plugin. The plugin is supposed to check whether you're allowed to do the thing — and most of them don't. That's why five separate critical CVEs landed in two weeks. This post walks through every one and explains the underlying flaw.

Critical CVSS 9.8

Ninja Forms File Uploads CVE-2026-0740 – the AJAX pattern strikes again

Unauthenticated arbitrary file upload via the plugin's AJAX handler. Affects around 50,000 WordPress sites. The first patch (3.3.25) didn't fully fix it — only 3.3.27 closes the hole. If your sites auto-updated to 3.3.25 or 3.3.26, you're still exploitable. The post explains exactly what went wrong and how to find every vulnerable install across your portfolio.

Also new from the blog

In case you missed it

Detect locked Joomla scheduled tasks before they cause problems

Joomla's Task Scheduler can leave tasks stuck in a locked state after a crash or PHP timeout. The task looks fine in the admin, but it never runs again — backups stop, cleanups stop, and you don't find out until something else breaks. This guide shows how mySites.guru detects and unlocks them across every Joomla site you manage.

Need help with your site? Phil Taylor – Fixing websites since 2004

Found something wrong with your Joomla or WordPress site? If it were simple, you'd have fixed it already. I offer same-day expert help at a flat rate of £120 per incident. No hourly billing surprises.

If I can't add value, you don't pay