PT-2026-56777 · WordPress · Balbooa Forms

Phil Taylor

·

Published

2026-07-09

·

Updated

2026-07-14

·

CVE-2026-56291

CVSS v4.0

10

Critical

VectorAV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:A/AU:Y/U:Red
Name of the Vulnerable Software and Affected Versions Balbooa Forms versions prior to 2.4.1
Description The Joomla extension Balbooa Forms, installed as the com baforms component, contains a flaw in its frontend attachment upload functionality. This issue allows an unauthenticated anonymous visitor to upload arbitrary executable files, such as .php files, into a public folder without requiring a login or a CSRF token (Cross-Site Request Forgery token, a unique value used to prevent unauthorized commands from being transmitted from a user that the web application trusts). This leads to remote code execution (RCE), enabling an attacker to execute arbitrary code on the server. This issue has been actively exploited in the wild.
Recommendations Update Balbooa Forms to a version newer than 2.4.0.

Exploit

Fix

RCE

Unrestricted File Upload

Found an issue in the description? Have something to add? Feel free to write us 👾

Weakness Enumeration

Related Identifiers

CVE-2026-56291

Affected Products

Balbooa Forms