Executive Summary

The vulnerability CVE-2026-9815 affects the MagicForm WordPress plugin version 0.1.3 and earlier. It occurs because the plugin does not properly validate the type of files uploaded through an unauthenticated AJAX action when a form's per-field extension allowlist is left empty.

This flaw allows unauthenticated attackers to upload PHP files to the server, which can then be executed, leading to arbitrary code execution on the server.

Useful 0 Not Useful 0

Impact Analysis

This vulnerability can have severe impacts as it allows attackers to execute arbitrary code on the server without any authentication.

• Attackers can upload malicious PHP files.
• Remote code execution can lead to full server compromise.
• Sensitive data stored on the server could be accessed or modified.
• The website's availability and integrity could be disrupted.

Useful 0 Not Useful 0

Mitigation Strategies

The vulnerability allows unauthenticated attackers to upload PHP files and execute arbitrary code on the server due to improper file type validation in the MagicForm WordPress plugin version 0.1.3 or lower.

As of the last update, no known fix has been released for this vulnerability.

Immediate mitigation steps include disabling or removing the MagicForm plugin until a patch is available, and ensuring that forms do not have empty per-field extension allowlists to prevent arbitrary file uploads.

Additionally, restricting file upload permissions and monitoring for suspicious PHP files on the server can help reduce risk.

Useful 0 Not Useful 0