CVE-2026-9815
MagicForm <= 0.1.3 - Unauthenticated Arbitrary File Upload to RCE
The MagicForm WordPress plugin through 0.1.3 does not properly validate the type of files uploaded through an unauthenticated AJAX action when a form's per-field extension allowlist is left empty, allowing unauthenticated attackers to upload PHP files and execute arbitrary code on the server.
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N
Affected products
Unknown · MagicFormpublic PoCs found — 1
cve_referencewpscan.com/vulnerability/043f449f-fc65-4218-83d2-7742e62f2af3/unverified⚠ Public resources, to assess the exposure of systems you control or are authorized to test. Test only with authorization.
Want to know if your infrastructure is exposed to this?
Talk to TrueHacking →