MagicForm <= 0.1.3 – Unauthenticated Arbitrary File Upload to RCE | CVE 2026-9815

Description

The plugin does not properly validate the type of files uploaded through an unauthenticated AJAX action when a form's per-field extension allowlist is left empty, allowing unauthenticated attackers to upload PHP files and execute arbitrary code on the server.

Proof of Concept

The PoC will be displayed once the issue has been remediated.

Affects Plugins

magicform

No known fix

References

CVE

CVE-2026-9815

URL

https://wordpress.org/plugins/magicform/

Miscellaneous

Original Researcher

0xBassia

Submitter

0xBassia

Submitter website

https://github.com/0xBassia

Submitter twitter

MohamedBassia

Verified

Yes

WPVDB ID

043f449f-fc65-4218-83d2-7742e62f2af3

Timeline

Publicly Published

2026-05-28 (about 21 days ago)

Added

2026-05-28 (about 20 days ago)

Last Updated

2026-06-17 (about 11 hours ago)

Other

Published

Title

Published

2017-04-20

Title

WooCommerce Catalog Enquiry - Arbitrary File Upload

Published

2024-10-14

Title

WordPress Gallery Plugin – Limb Image Gallery <= 1.5.7 - Authenticated (Subscriber+) Arbitrary File Upload

Published

2023-12-27

Title

WP MLM <= 4.0 - Unauthenticated Arbitrary File Upload

Published

2014-08-01

Title

Right Now - Arbitrary File Upload

Published

2014-08-01

Title

Mac Photo Gallery - upload-file.php File Upload