MEDIUM
MagicForm
CVE published 2026-06-18
CVE-2026-9815
The MagicForm WordPress plugin through version 0.1.3 has a critical vulnerability that allows unauthenticated attackers to upload PHP files and execute arbitrary code on the server. This occurs when a form's per-field extension allowlist is left empty and the plugin fails to properly validate the type of files uploaded through an unauthenticated AJAX action. The vulnerability has a CVSS score of 6.5 and a [truncated]