PT-2026-56777 · WordPress · Balbooa Forms
Phil Taylor
·
Published
2026-07-09
·
Updated
2026-07-09
·
CVE-2026-56291
CVSS v4.0
10
Critical
| Vector | AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:A/AU:Y/U:Red |
Name of the Vulnerable Software and Affected Versions
Balbooa Forms versions prior to 2.4.1
Description
The
com baforms component contains a flaw in its frontend attachment upload functionality. This issue allows an unauthenticated anonymous visitor to upload arbitrary files, including executable .php files, to a public folder without requiring a login or a CSRF (Cross-Site Request Forgery) token. This can lead to remote code execution (RCE), which allows an attacker to execute arbitrary commands on the server. This issue has been exploited in real-world attacks.Recommendations
Update Balbooa Forms to version 2.4.1 or later.
Fix
Unrestricted File Upload
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Balbooa Forms