Impact
The SigmaForms Pro – AI Generated Forms plugin for WordPress, when using versions 1.4.5 or earlier, allows any user to upload files without authentication. The flaw arises from a file‑upload feature that fails to validate the type or contents of the uploaded file. An attacker could place a malicious payload such as a PHP script and gain remote code execution or other severe compromise of the entire site. The vulnerability is identified as CWE‑434.
Affected Systems
WordPress sites that have the BDthemes SigmaForms Pro – AI Generated Forms plugin installed at version 1.4.5 or earlier are affected. Any website using this plugin in its current form is at risk.
Risk and Exploitability
The CVSS score of 9 assigns critical severity to this issue. No EPSS data is available and the vulnerability is not listed in the CISA KEV catalog, but the lack of authentication for the upload endpoint means an attacker can exploit the flaw simply by sending a crafted HTTP request or via a standard form on the site. The combination of unrestricted file types and lack of upload validation results in a high likelihood of successful exploitation and a potentially catastrophic impact for site administrators.
OpenCVE Enrichment