Fwd: The AJAX endpoint pattern keeps exposing your sites to hackers

[Dorothy Firsching]

---------- Forwarded message ---------
From: Phil Taylor <ph...@phil-taylor.com>
Date: Tue, Apr 7, 2026, 8:14 AM
Subject: The AJAX endpoint pattern keeps exposing your sites to hackers
To: <dfirs...@acm.org>

Five CMS vulnerabilities in two weeks all share the same root cause — AJAX endpoints. Plus WordPress plugin patches and a Joomla scheduler fix.

mySites.guru   The AJAX endpoint pattern keeps exposing your sites to hackers Five separate critical vulnerabilities have hit Joomla and WordPress in the last two weeks, and they all share the same root cause: AJAX endpoints that authenticate the request but never authorize the action. Astroid Framework, Novarain, Smart Slider 3, Joomla core's com_ajax, and now Ninja Forms File Uploads — same blind spot, different plugin. I've written a deep dive into the pattern explaining why this keeps happening and what to look for. Then yesterday Wordfence disclosed CVE-2026-0740 in Ninja Forms File Uploads — CVSS 9.8 unauth RCE on around 50,000 sites — which is the pattern playing out in real time. Also in this issue: four major WordPress plugins (Elementor, Yoast, WPForms, Really Simple Security) shipped patches in March, a piece on why Joomla's compat plugins are technical debt, and a guide to detecting locked Joomla scheduled tasks before they silently break things. All guides are free to read on the blog AJAX endpoints are a big CMS security blind spot WordPress's admin-ajax.php and Joomla's com_ajax were designed as lightweight pass-throughs. They check that you're logged in, then hand the request off to the plugin. The plugin is supposed to check whether you're allowed to do the thing — and most of them don't. That's why five separate critical CVEs landed in two weeks. This post walks through every one and explains the underlying flaw. Read the full breakdown Critical CVSS 9.8 Ninja Forms File Uploads CVE-2026-0740 – the AJAX pattern strikes again Unauthenticated arbitrary file upload via the plugin's AJAX handler. Affects around 50,000 WordPress sites. The first patch (3.3.25) didn't fully fix it — only 3.3.27 closes the hole. If your sites auto-updated to 3.3.25 or 3.3.26, you're still exploitable. The post explains exactly what went wrong and how to find every vulnerable install across your portfolio. Check your sites now Also new from the blog New 4 Major WordPress Plugins Patched Security Flaws in March 2026 New Joomla's Compat Plugin Is a Crutch, Not a Fix In case you missed it Detect locked Joomla scheduled tasks before they cause problems Joomla's Task Scheduler can leave tasks stuck in a locked state after a crash or PHP timeout. The task looks fine in the admin, but it never runs again — backups stop, cleanups stop, and you don't find out until something else breaks. This guide shows how mySites.guru detects and unlocks them across every Joomla site you manage. See how it works Need help with your site? Phil Taylor – Fixing websites since 2004 Found something wrong with your Joomla or WordPress site? If it were simple, you'd have fixed it already. I offer same-day expert help at a flat rate of £120 per incident. No hourly billing surprises. ✓ Hacked or compromised sites ✓ PHP errors and white screens ✓ Upgrades and PHP 8 compatibility ✓ Performance and hosting issues Get expert help today If I can't add value, you don't pay