CVE-2026-56058
Deferred Deferred - Pending Action
Subscriber Arbitrary File Upload in Quform

Publication date: 2026-06-26

Last updated on: 2026-06-26

Assigner: Patchstack

Description
Subscriber Arbitrary File Upload in Quform <= 2.23.0 versions.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-26
Last Modified
2026-06-26
Generated
2026-06-26
AI Q&A
2026-06-26
EPSS Evaluated
N/A
NVD
CVE-2026-56058
EUVD
EUVD-2026-39712
Affected Vendors & Products
Currently, no data is known.
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-434 The product allows the upload or transfer of dangerous file types that are automatically processed within its environment.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Compliance Impact

The vulnerability in the WordPress Quform Plugin allows attackers to upload arbitrary files, including malicious backdoors, which can lead to unauthorized access to a website.

Such unauthorized access and potential data breaches can negatively impact compliance with common standards and regulations like GDPR and HIPAA, which require protection of personal and sensitive data.

Failure to address this vulnerability could result in exposure of protected data, leading to regulatory penalties and loss of trust.

Executive Summary

The WordPress Quform Plugin, versions 2.23.0 and below, contains an Arbitrary File Upload vulnerability. This means attackers can upload any type of file, including malicious backdoors, to a affected website.

This flaw allows unauthorized users to potentially gain further access to the website by exploiting the uploaded malicious files.

Impact Analysis

This vulnerability can have severe impacts including unauthorized access to your website, data breaches, and potential full site compromise.

Attackers can upload malicious backdoors that allow them to control the website, steal sensitive information, or launch further attacks.

The vulnerability has a high severity score of 9.9, indicating it is critical and likely to be exploited in mass campaigns targeting many websites.

Immediate action such as updating the plugin to version 2.23.1 or later is strongly advised to mitigate these risks.

Mitigation Strategies

The immediate recommended step is to update the WordPress Quform plugin to version 2.23.1 or later, which contains the fix for this arbitrary file upload vulnerability.

If updating the plugin is not possible right away, users should seek assistance from their hosting provider or web developer.

Additionally, Patchstack has provided a mitigation rule that can be applied to block attacks targeting this vulnerability until the plugin is updated.

Detection Guidance

The vulnerability in the WordPress Quform Plugin (versions 2.23.0 and below) allows arbitrary file uploads, which can be detected by monitoring for unusual file upload activity or the presence of unexpected files on the server.

While no specific detection commands are provided in the available resources, general approaches include checking the plugin version to confirm if it is vulnerable and scanning the web server for suspicious uploaded files or backdoors.

It is recommended to update the plugin to version 2.23.1 or later to mitigate the issue. Until then, applying mitigation rules provided by Patchstack or consulting with your hosting provider or web developer is advised.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-56058. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart