File Upload Vulnerability in MagicForm Plugin Affects WordPress Users
CVE-2026-9815

Currently unrated

Key Information:

Vendor: WordPress
Status: Magicform
Vendor: CVE Published:; 18 June 2026

Badges

👾 Exploit Exists🟡 Public PoC

What is CVE-2026-9815?

The MagicForm plugin for WordPress, up to version 0.1.3, contains a critical flaw that allows unauthenticated attackers to upload malicious PHP files via an AJAX action. This occurs due to inadequate validation of uploaded file types when per-field extension allowlists are empty. Attackers exploiting this vulnerability can execute arbitrary code on the server, leading to potential full system compromise and data breaches.

Affected Version(s)

MagicForm 0 <= 0.1.3

Exploit Proof of Concept (PoC)

PoC code is written by security researchers to demonstrate the vulnerability can be exploited. PoC code is also a key component for weaponization which could lead to ransomware.

CVE-2026-9815 - Proof of Concept

References

https://wpscan.com/vulnerability/043f449f-fc65-4218-83d2-...

exploitvdb-entrytechnical-description

Download the Critical Vulnerability Management Cheat Sheet

Timeline

🟡
Public PoC available
Jun 18, 2026
👾
Exploit known to exist
Jun 18, 2026
Vulnerability published
Jun 18, 2026
Vulnerability Reserved
May 28, 2026

Credit

0xBassia

WPScan

CVE-2026-9815 Data

JSON