PT-2026-50647 · Undefined · Undefined
0Xbassia
·
Published
2026-06-18
·
Updated
2026-06-18
·
CVE-2026-9815
None
No severity ratings or metrics are available. When they are, we'll update the corresponding info on the page.
The MagicForm WordPress plugin through 0.1.3 does not properly validate the type of files uploaded through an unauthenticated AJAX action when a form's per-field extension allowlist is left empty, allowing unauthenticated attackers to upload PHP files and execute arbitrary code on the server.
Exploit
Found an issue in the description? Have something to add? Feel free to write us 👾
Related Identifiers
Affected Products
Undefined