GHSA-v7h3-h25c-vhc5MediumCVSS 6.5

The MagicForm WordPress plugin through 0.1.3 does not properly validate the type of files...

Published
June 18, 2026
Last Modified
June 18, 2026

🔗 CVE IDs covered (1)

📋 Description

The MagicForm WordPress plugin through 0.1.3 does not properly validate the type of files uploaded through an unauthenticated AJAX action when a form's per-field extension allowlist is left empty, allowing unauthenticated attackers to upload PHP files and execute arbitrary code on the server.

🔗 References (3)