CVE-2026-9815

UNKNOWN 0.0

MagicForm <= 0.1.3 - Unauthenticated Arbitrary File Upload to RCE

CVSS Score

0.0

EPSS Score

0.0%

EPSS Percentile

0th

The MagicForm WordPress plugin through 0.1.3 does not properly validate the type of files uploaded through an unauthenticated AJAX action when a form's per-field extension allowlist is left empty, allowing unauthenticated attackers to upload PHP files and execute arbitrary code on the server.

Vendor	unknown
Product	magicform
Published	Jun 18, 2026

Stay Ahead of the Next One

Get instant alerts for unknown magicform

Be the first to know when new unknown vulnerabilities affecting unknown magicform are published — delivered to Slack, Telegram or Discord.

Get Free Alerts → Free · No credit card · 60 sec setup

Affected Versions

Unknown / MagicForm

0 ≤ 0.1.3

References

NVD ↗ CVE.org ↗ EPSS Data ↗

wpscan.com: https://wpscan.com/vulnerability/043f449f-fc65-4218-83d2-7742e62f2af3/

Credits

0xBassia WPScan