CVE-2026-56058
CriticalCVSS 9.9Exploitation Probability (EPSS)
Low risk28th percentile — higher than 28% of all known CVEs
Summary
A vulnerability in the Quform plugin versions up to 2.23.0 allows a subscriber-level user to upload arbitrary files to the server. An attacker can exploit this flaw to upload a malicious file, potentially leading to full site compromise.
Risk Assessment
The risk for the organization includes the possibility of remote code execution by an unauthorized user, which may result in data integrity breaches, information theft, or complete takeover of the WordPress site.
Recommendation
It is recommended to immediately update the Quform plugin to the latest available version that fixes this vulnerability. Also, restrict subscriber user permissions to the minimum necessary.
Original NVD description (English source)
Subscriber Arbitrary File Upload in Quform <= 2.23.0 versions.

