PT-2026-56777 · WordPress · Balbooa Forms

Phil Taylor

·

Published

2026-07-09

·

Updated

2026-07-09

·

CVE-2026-56291

CVSS v4.0

10

Critical

VectorAV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:A/AU:Y/U:Red
Name of the Vulnerable Software and Affected Versions Balbooa Forms versions prior to 2.4.1
Description The com baforms component contains a flaw in its frontend attachment upload functionality. This issue allows an unauthenticated anonymous visitor to upload arbitrary files, including executable .php files, to a public folder without requiring a login or a CSRF (Cross-Site Request Forgery) token. This can lead to remote code execution (RCE), which allows an attacker to execute arbitrary commands on the server. This issue has been exploited in real-world attacks.
Recommendations Update Balbooa Forms to version 2.4.1 or later.

Fix

Unrestricted File Upload

Found an issue in the description? Have something to add? Feel free to write us 👾

Weakness Enumeration

Related Identifiers

CVE-2026-56291

Affected Products

Balbooa Forms