Unrated severityNVD Advisory· Published Jun 18, 2026
MagicForm <= 0.1.3 - Unauthenticated Arbitrary File Upload to RCE
CVE-2026-9815
Description
The MagicForm WordPress plugin through 0.1.3 does not properly validate the type of files uploaded through an unauthenticated AJAX action when a form's per-field extension allowlist is left empty, allowing unauthenticated attackers to upload PHP files and execute arbitrary code on the server.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected products
1Patches
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
1- wpscan.com/vulnerability/043f449f-fc65-4218-83d2-7742e62f2af3/mitreexploitvdb-entrytechnical-description
News mentions
0No linked articles in our index yet.