CVE-2026-9815 PUBLISHED

MagicForm <= 0.1.3 - Unauthenticated Arbitrary File Upload to RCE

Assigner: WPScan
Reserved: 28.05.2026 Published: 18.06.2026 Updated: 18.06.2026

The MagicForm WordPress plugin through 0.1.3 does not properly validate the type of files uploaded through an unauthenticated AJAX action when a form's per-field extension allowlist is left empty, allowing unauthenticated attackers to upload PHP files and execute arbitrary code on the server.

Product Status

Vendor	Unknown
Product	MagicForm
Versions	Default: unknown affected from 0 to 0.1.3 (incl.)

Credits

0xBassia finder
WPScan coordinator

References

https://wpscan.com/vulnerability/043f449f-fc65-4218-83d2-7742e62f2af3/

Problem Types

CWE-434 Unrestricted Upload of File with Dangerous Type CWE