CVE-2026-9815
MediumCVSS 6.5Exploitation Probability (EPSS)
Low risk12th percentile — higher than 12% of all known CVEs
Summary
The MagicForm WordPress plugin through 0.1.3 does not properly validate the type of files uploaded through an unauthenticated AJAX action when a form's per-field extension allowlist is left empty, allowing unauthenticated attackers to upload PHP files and execute arbitrary code on the server.
Risk Assessment
The organization is at risk of attacks that could lead to remote code execution, potentially resulting in data loss or server takeover.
Recommendation
It is recommended to update the MagicForm plugin to the latest version and configure the per-field extension allowlist to minimize the risk of uploading dangerous files.
Original NVD description (English source)
The MagicForm WordPress plugin through 0.1.3 does not properly validate the type of files uploaded through an unauthenticated AJAX action when a form's per-field extension allowlist is left empty, allowing unauthenticated attackers to upload PHP files and execute arbitrary code on the server.

