Description
The MagicForm WordPress plugin through 0.1.3 does not properly validate the type of files uploaded through an unauthenticated AJAX action when a form's per-field extension allowlist is left empty, allowing unauthenticated attackers to upload PHP files and execute arbitrary code on the server.
Published: 2026-06-18
Score: 6.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability in the MagicForm WordPress plugin permits an attacker to upload arbitrary files, including PHP scripts, because file type validation is bypassed when the per-field extension allowlist is empty. By exploiting the unauthenticated AJAX action, an attacker can place malicious code on the server, leading to remote code execution and full control of the affected WordPress installation.

Affected Systems

Any WordPress site that has the MagicForm plugin installed with version 0.1.3 or earlier is vulnerable. The plugin vendor is listed as Unknown:MagicForm, and the flaw exists specifically in all releases up to and including 0.1.3. No specific version range beyond that is documented, so any site using an affected revision must update.

Risk and Exploitability

The vulnerability has a CVSS score of 6.5, indicating moderate severity, and the EPSS score is below 1%, implying a low current exploitation probability. It is not listed in the CISA KEV catalog. The attack can be carried out remotely with no authentication, via HTTP requests to the plugin's AJAX endpoint, and an attacker only needs to craft a request that bypasses the empty extension allowlist. Once a PHP file is uploaded, arbitrary code can be executed on the server.

Generated by OpenCVE AI on June 18, 2026 at 19:51 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update MagicForm plugin to the latest version (0.1.4 or newer) where file type validation is enforced.
  • If an update is not immediately available, restrict access to the plugin's AJAX endpoint by applying a firewall rule or .htaccess rule that blocks unauthenticated access, or by disabling the AJAX handler entirely until patched.
  • Configure the per-field extension allowlist to include only safe file types or disable the upload feature altogether if not needed.
  • As an additional temporary measure, set the server configuration to reject PHP file uploads at the application layer or by enabling PHP's file upload restrictions.

Generated by OpenCVE AI on June 18, 2026 at 19:51 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 18 Jun 2026 20:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-284
CWE-434

Thu, 18 Jun 2026 16:45:00 +0000

Type Values Removed Values Added
Description The MagicForm WordPress plugin through 0.1.3 does not properly validate the type of files uploaded through an unauthenticated AJAX action when a form's per-field extension allowlist is left empty, allowing unauthenticated attackers to upload PHP files and execute arbitrary code on the server.
Title MagicForm <= 0.1.3 - Unauthenticated Arbitrary File Upload to RCE
References
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N'}

ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: WPScan

Published:

Updated: 2026-06-18T13:15:23.843Z

Reserved: 2026-05-28T09:50:03.864Z

Link: CVE-2026-9815

cve-icon Vulnrichment

Updated: 2026-06-18T13:15:18.737Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-18T20:00:15Z

Weaknesses
  • CWE-284

    Improper Access Control

  • CWE-434

    Unrestricted Upload of File with Dangerous Type