Description
Unauthenticated Arbitrary File Upload in SigmaForms Pro – AI Generated Forms <= 1.4.5 versions.
Published: 2026-06-17
Score: 9 Critical
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The SigmaForms Pro – AI Generated Forms plugin for WordPress, when using versions 1.4.5 or earlier, allows any user to upload files without authentication. The flaw arises from a file‑upload feature that fails to validate the type or contents of the uploaded file. An attacker could place a malicious payload such as a PHP script and gain remote code execution or other severe compromise of the entire site. The vulnerability is identified as CWE‑434.

Affected Systems

WordPress sites that have the BDthemes SigmaForms Pro – AI Generated Forms plugin installed at version 1.4.5 or earlier are affected. Any website using this plugin in its current form is at risk.

Risk and Exploitability

The CVSS score of 9 assigns critical severity to this issue. No EPSS data is available and the vulnerability is not listed in the CISA KEV catalog, but the lack of authentication for the upload endpoint means an attacker can exploit the flaw simply by sending a crafted HTTP request or via a standard form on the site. The combination of unrestricted file types and lack of upload validation results in a high likelihood of successful exploitation and a potentially catastrophic impact for site administrators.

Generated by OpenCVE AI on June 18, 2026 at 12:07 UTC.

Remediation

Vendor Solution

Update the WordPress SigmaForms Pro – AI Generated Forms Plugin to the latest available version (at least 1.4.6).


OpenCVE Recommended Actions

  • Upgrade the plugin to version 1.4.6 or later, which removes the arbitrary file upload flaw.
  • If an immediate upgrade is not possible, deactivate or uninstall the SigmaForms Pro plugin until an update can be applied.
  • Configure WordPress upload restrictions to permit only allowed MIME types, set maximum file size limits, and use a security plugin to block non‑text files until the plugin is updated.

Generated by OpenCVE AI on June 18, 2026 at 12:07 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Sun, 21 Jun 2026 09:45:00 +0000

Type Values Removed Values Added
First Time appeared Bdthemes
Bdthemes sigmaforms Pro – Ai Generated Forms
Wordpress
Wordpress wordpress
Vendors & Products Bdthemes
Bdthemes sigmaforms Pro – Ai Generated Forms
Wordpress
Wordpress wordpress

Wed, 17 Jun 2026 11:15:00 +0000

Type Values Removed Values Added
Description Unauthenticated Arbitrary File Upload in SigmaForms Pro – AI Generated Forms <= 1.4.5 versions.
Title WordPress SigmaForms Pro – AI Generated Forms plugin <= 1.4.5 - Arbitrary File Upload vulnerability
Weaknesses CWE-434
References
Metrics cvssV3_1

{'score': 9, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H'}


Subscriptions

Bdthemes Sigmaforms Pro – Ai Generated Forms
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-06-17T15:34:30.929Z

Reserved: 2026-06-08T10:11:13.730Z

Link: CVE-2026-52705

cve-icon Vulnrichment

No data.

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-20T23:03:50Z

Weaknesses
  • CWE-434

    Unrestricted Upload of File with Dangerous Type