PT-2026-56777 · WordPress · Balbooa Forms
Phil Taylor
·
Published
2026-07-09
·
Updated
2026-07-14
·
CVE-2026-56291
CVSS v4.0
10
Critical
| Vector | AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:A/AU:Y/U:Red |
Name of the Vulnerable Software and Affected Versions
Balbooa Forms versions prior to 2.4.1
Description
The Joomla extension Balbooa Forms, installed as the
com baforms component, contains a flaw in its frontend attachment upload functionality. This issue allows an unauthenticated anonymous visitor to upload arbitrary executable files, such as .php files, into a public folder without requiring a login or a CSRF token (Cross-Site Request Forgery token, a unique value used to prevent unauthorized commands from being transmitted from a user that the web application trusts). This leads to remote code execution (RCE), enabling an attacker to execute arbitrary code on the server. This issue has been actively exploited in the wild.Recommendations
Update Balbooa Forms to a version newer than 2.4.0.
Exploit
Fix
RCE
Unrestricted File Upload
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Balbooa Forms