CVE Catalog

CVE-2026-9815

MediumCVSS 6.5
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

Low risk
0.22%

12th percentile — higher than 12% of all known CVEs

Summary

The MagicForm WordPress plugin through 0.1.3 does not properly validate the type of files uploaded through an unauthenticated AJAX action when a form's per-field extension allowlist is left empty, allowing unauthenticated attackers to upload PHP files and execute arbitrary code on the server.

Risk Assessment

The organization is at risk of attacks that could lead to remote code execution, potentially resulting in data loss or server takeover.

Recommendation

It is recommended to update the MagicForm plugin to the latest version and configure the per-field extension allowlist to minimize the risk of uploading dangerous files.

Original NVD description (English source)

The MagicForm WordPress plugin through 0.1.3 does not properly validate the type of files uploaded through an unauthenticated AJAX action when a form's per-field extension allowlist is left empty, allowing unauthenticated attackers to upload PHP files and execute arbitrary code on the server.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS