CVE-2026-9815
Deferred Deferred - Pending Action

Arbitrary File Upload in MagicForm WordPress Plugin

Vulnerability report for CVE-2026-9815, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-06-18

Last updated on: 2026-06-22

Assigner: WPScan

Description

The MagicForm WordPress plugin through 0.1.3 does not properly validate the type of files uploaded through an unauthenticated AJAX action when a form's per-field extension allowlist is left empty, allowing unauthenticated attackers to upload PHP files and execute arbitrary code on the server.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-06-18
Last Modified
2026-06-22
Generated
2026-07-08
AI Q&A
2026-06-18
EPSS Evaluated
2026-07-07
NVD
EUVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
magicform magicform to 0.1.3 (inc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-UNKNOWN

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

The vulnerability CVE-2026-9815 affects the MagicForm WordPress plugin version 0.1.3 and earlier. It occurs because the plugin does not properly validate the type of files uploaded through an unauthenticated AJAX action when a form's per-field extension allowlist is left empty.

This flaw allows unauthenticated attackers to upload PHP files to the server, which can then be executed, leading to arbitrary code execution on the server.

Impact Analysis

This vulnerability can have severe impacts as it allows attackers to execute arbitrary code on the server without any authentication.

  • Attackers can upload malicious PHP files.
  • Remote code execution can lead to full server compromise.
  • Sensitive data stored on the server could be accessed or modified.
  • The website's availability and integrity could be disrupted.
Mitigation Strategies

The vulnerability allows unauthenticated attackers to upload PHP files and execute arbitrary code on the server due to improper file type validation in the MagicForm WordPress plugin version 0.1.3 or lower.

As of the last update, no known fix has been released for this vulnerability.

Immediate mitigation steps include disabling or removing the MagicForm plugin until a patch is available, and ensuring that forms do not have empty per-field extension allowlists to prevent arbitrary file uploads.

Additionally, restricting file upload permissions and monitoring for suspicious PHP files on the server can help reduce risk.

Compliance Impact

The vulnerability allows unauthenticated attackers to upload and execute arbitrary PHP code on the server, which can lead to unauthorized access and control over the affected system.

Such unauthorized access and potential data breaches could result in non-compliance with common standards and regulations like GDPR and HIPAA, which require protection of personal and sensitive data.

However, the provided information does not explicitly detail the impact on compliance with these standards.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-9815. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart