CVE-2022-0888: 
WordPress vulnerability analysis and mitigation

The Ninja Forms - File Uploads Extension WordPress plugin versions prior to 3.3.1 was found to contain an arbitrary file upload vulnerability (CVE-2022-0888). The vulnerability stems from insufficient input file type validation in the ~/includes/ajax/controllers/uploads.php file, which allows unauthenticated attackers to upload malicious files that can lead to remote code execution (WPScan).

The vulnerability exists due to a bypass in the file extension validation mechanism. When the formid parameter is removed from the file upload request, the validate method in the uploads.php file returns true, effectively bypassing the file extension check. This vulnerability has been assigned a CVSS score of 9.8 (Critical), indicating its severe nature (WPScan).

If successfully exploited, this vulnerability allows unauthenticated attackers to upload arbitrary files to the server, potentially leading to remote code execution. This could result in complete compromise of the affected WordPress installation (WPScan).

The vulnerability has been patched in version 3.3.1 of the Ninja Forms - File Uploads Extension. Site administrators are strongly advised to update to this version or later to protect against potential attacks (WPScan).