Skip to main content

Quform CVE-2026-56058

| EUVDEUVD-2026-39712 CRITICAL
Unrestricted Upload of File with Dangerous Type (CWE-434)
2026-06-26 audit@patchstack.com GHSA-86wc-v2qw-vmwq
9.9
CVSS 3.1 · Vendor: patchstack
Share

Severity by source

Vendor (patchstack) PRIMARY
9.9 CRITICAL
AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
vuln.today AI
9.9 CRITICAL

Subscriber-level account needed so PR:L; network-reachable upload with no victim interaction (AV:N/UI:N), and RCE crossing the authorization boundary justifies S:C with full C/I/A:H.

3.1 AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
4.0 AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Primary rating from Vendor (patchstack).

CVSS VectorVendor: patchstack

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Changed
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

1
Analysis Generated
Jun 26, 2026 - 16:00 vuln.today

DescriptionCVE.org

Subscriber Arbitrary File Upload in Quform <= 2.23.0 versions.

AnalysisAI

Arbitrary file upload in the Quform WordPress plugin (versions <= 2.23.0) lets authenticated users with only Subscriber-level privileges upload files of attacker-controlled type, enabling web shell deployment and full site takeover. The CVSS:3.1 vector (PR:L, S:C) reflects a low privilege bar combined with a scope change, which drives the 9.9 score. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Register Subscriber account via open signup
Delivery
Access Quform form with upload field
Exploit
Submit malicious PHP file bypassing type checks
Execution
File written to web-accessible path
Persist
Browse to uploaded script
Impact
Execute code, take over site

Vulnerability AssessmentAI

Exploitation Exploitation requires an authenticated WordPress account at Subscriber level or higher (CVSS PR:L) on a site running Quform <= 2.23.0 with a reachable form that includes a file-upload field. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment Signals are mostly consistent toward high priority: the CVSS:3.1 base score is 9.9 with AV:N (network), AC:L (low complexity), PR:L (low privileges), UI:N (no user interaction) and S:C (scope change), which is the classic profile of a pre-RCE file-upload flaw. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker registers (or obtains) a Subscriber account on a WordPress site running Quform <= 2.23.0, then submits a form with a file-upload field carrying a malicious PHP file disguised or unfiltered by type validation. The uploaded script lands in a web-accessible path and is executed by browsing to its URL, giving the attacker code execution and a foothold for full site takeover. …
Remediation Upgrade Quform to a release newer than 2.23.0 once confirmed via the Patchstack advisory (https://patchstack.com/database/wordpress/plugin/quform/vulnerability/wordpress-quform-plugin-2-23-0-arbitrary-file-upload-vulnerability); the exact patched version was not provided in this data set and must be verified before deployment. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours: identify all WordPress instances running Quform ≤2.23.0 and disable the plugin; remove file upload permissions for Subscriber-level user roles. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-56058 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy