CVE Catalog

CVE-2026-56058

CriticalCVSS 9.9
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

Low risk
0.36%

28th percentile — higher than 28% of all known CVEs

Summary

A vulnerability in the Quform plugin versions up to 2.23.0 allows a subscriber-level user to upload arbitrary files to the server. An attacker can exploit this flaw to upload a malicious file, potentially leading to full site compromise.

Risk Assessment

The risk for the organization includes the possibility of remote code execution by an unauthorized user, which may result in data integrity breaches, information theft, or complete takeover of the WordPress site.

Recommendation

It is recommended to immediately update the Quform plugin to the latest available version that fixes this vulnerability. Also, restrict subscriber user permissions to the minimum necessary.

Original NVD description (English source)

Subscriber Arbitrary File Upload in Quform <= 2.23.0 versions.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS