CVE-2026-9815 Overview
CVE-2026-9815 affects the MagicForm WordPress plugin through version 0.1.3. The plugin fails to validate uploaded file types in an unauthenticated AJAX action when a form field's per-field extension allowlist is left empty. Unauthenticated attackers can upload PHP files to the server and execute arbitrary code in the WordPress process context. The flaw maps to improper input validation and unrestricted upload of dangerous file types [CWE-434]. Exploitation requires only a vulnerable form configuration on a public-facing site, with no authentication or user interaction.
Critical Impact
Unauthenticated remote attackers can upload PHP webshells and gain arbitrary code execution on any WordPress site running MagicForm ≤ 0.1.3 with an empty per-field extension allowlist.
Affected Products
- MagicForm WordPress plugin, all versions up to and including 0.1.3
- WordPress sites with MagicForm forms configured without a per-field extension allowlist
- Any hosting environment serving uploaded files from the WordPress uploads directory as PHP
Discovery Timeline
- 2026-06-18 - CVE-2026-9815 published to the National Vulnerability Database
- 2026-06-18 - Last updated in NVD database
Technical Details for CVE-2026-9815
Vulnerability Analysis
MagicForm exposes an AJAX endpoint that accepts file uploads from form submissions. The endpoint is registered with both the wp_ajax_ and wp_ajax_nopriv_ hooks, making it reachable by unauthenticated visitors. Each form field can define an allowlist of permitted file extensions. When a site administrator leaves that allowlist empty, the plugin treats the absence of entries as no restriction rather than as a deny-all default.
An attacker submits a multipart request to the AJAX handler with a .php payload. The plugin writes the file to a path under the WordPress uploads directory using the attacker-controlled filename and extension. Requesting the resulting URL causes the web server to execute the PHP file, yielding code execution as the web server user.
Root Cause
The root cause is missing server-side file type validation combined with an insecure default for empty allowlist configurations. The handler relies on a user-supplied per-field allowlist instead of enforcing a hardcoded deny list for executable extensions or verifying MIME type through wp_check_filetype_and_ext(). This is a classic instance of unrestricted file upload [CWE-434] reachable through an unauthenticated AJAX action.
Attack Vector
The attack vector is network-based and unauthenticated. An attacker identifies a WordPress site running MagicForm, locates a form whose file-upload field has no extension allowlist, and posts a crafted multipart form with a PHP payload to the plugin's AJAX endpoint. The response or predictable upload path reveals the file URL. The attacker then issues a GET request to that URL to trigger PHP execution. Technical details are documented in the WPScan Vulnerability Report.
Detection Methods for CVE-2026-9815
Indicators of Compromise
- POST requests to admin-ajax.php containing MagicForm action parameters and multipart/form-data payloads with .php, .phtml, .phar, or .php5 filenames
- New PHP files appearing under wp-content/uploads/ with recent timestamps and unfamiliar filenames
- Outbound connections or system, exec, passthru, or eval activity originating from the web server user after upload events
- Web server access logs showing GET requests to newly created PHP files in the uploads directory
Detection Strategies
- Alert on any HTTP POST to wp-admin/admin-ajax.php that contains a file part with an executable extension
- Hash and inventory all files in wp-content/uploads/ and flag files whose extensions are not in an approved media list
- Correlate file creation events in the uploads directory with subsequent execution of php-fpm or php-cgi child processes spawning shells
Monitoring Recommendations
- Enable file integrity monitoring on wp-content/uploads/ and wp-content/plugins/magicform/
- Forward WordPress, web server, and PHP-FPM logs to a central platform for correlation and retention
- Track process lineage from php-fpm or Apache to identify shells, curl, wget, or reverse-connection binaries launched after a form submission
How to Mitigate CVE-2026-9815
Immediate Actions Required
- Deactivate the MagicForm plugin until a fixed version is released and verified
- Audit every MagicForm form and populate the per-field extension allowlist with only required media extensions such as jpg, png, pdf
- Search wp-content/uploads/ for PHP files and remove any that are not legitimate, then rotate WordPress secrets and database credentials if any are found
- Block execution of PHP within the uploads directory at the web server level
Patch Information
No fixed version is listed for MagicForm at the time of NVD publication. All releases through 0.1.3 are vulnerable. Monitor the WPScan Vulnerability Report and the plugin's WordPress.org page for an updated release.
Workarounds
- Configure a non-empty per-field extension allowlist on every MagicForm form that accepts uploads
- Deny execution of .php, .phtml, .phar, and .php* files within wp-content/uploads/ using web server configuration
- Place the site behind a web application firewall with a rule blocking multipart uploads of executable extensions to admin-ajax.php
# Apache: prevent PHP execution in WordPress uploads directory
# Place in wp-content/uploads/.htaccess
<FilesMatch "\.(php|phtml|phar|php3|php4|php5|php7|phps)$">
Require all denied
</FilesMatch>
# Nginx equivalent inside the server block
location ~* /wp-content/uploads/.*\.(php|phtml|phar|php[3-7]|phps)$ {
deny all;
return 403;
}
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
