Vulnerability Brief

CVE-2026-9815

  • Severity: MEDIUM
  • CVSS score: 6.5

Technical summary

The MagicForm WordPress plugin through 0.1.3 does not properly validate the type of files uploaded through an unauthenticated AJAX action when a form's per-field extension allowlist is left empty, allowing unauthenticated attackers to upload PHP files and execute arbitrary code on the server.