How is CVE-2026-52705 exploited?

Network reachability (required): The plugin endpoint is exposed over the network, so an attacker must be able to reach the WordPress HTTP service to exploit this vulnerability. Authentication (not-required): No account or credentials of any kind are required; the vulnerable file upload endpoint is accessible to unauthenticated requests. Victim interaction (not-required): The attacker acts entirely autonomously against the server-side endpoint; no user action is needed to trigger the vulnerability. Attack complexity (info): Attack complexity is rated High, meaning exploitation depends on environmental factors such as specific server configurations, race conditions, or file-handling behaviors that the attacker cannot fully control but must account for.

What is the impact of CVE-2026-52705?

A successful attacker uploads and executes arbitrary server-side code, gaining a remote shell on the host running the WordPress application. With a remote shell in place, the attacker reads all stored data including database credentials, session tokens, form submissions, and any files accessible to the web server process. The attacker modifies or deletes any file the web server process can write, including WordPress core files, plugin files, and stored user data. The attacker can crash or destabilize the application server, causing a full service outage for the affected WordPress installation.

Back to search

CRITICALCVE-2026-52705Published 2026-06-17Modified 2026-06-17CNA Patchstack

CVE-2026-52705: WordPress SigmaForms Pro – AI Generated Forms plugin <= 1.4.5 - Arbitrary File Upload vulnerability

Q: What is CVE-2026-52705?

An arbitrary file upload vulnerability affects the SigmaForms Pro AI Generated Forms WordPress plugin at version 1.4.5 and earlier. The flaw is reachable over the network without any authentication, and exploitation requires satisfying certain environmental or race conditions given the high attack complexity rating. Successful exploitation gives an attacker full control over confidentiality, integrity, and availability of the affected system, including the ability to upload and execute arbitrary code. No fix version has been published yet; HarborGuard tracks this advisory and will make a patched rebuild available the moment upstream ships a fix.

Q: Is CVE-2026-52705 patched?

Because no upstream fix version has been published, HarborGuard re-checks this advisory on every ingest cycle and will make a patched-image rebuild available automatically the moment a fix is released. In the meantime, customers can apply compensating controls through HarborGuard policy rules, such as network-policy isolation for affected workloads, to reduce exposure while the upstream maintainer works toward a patch.

Unauthenticated Arbitrary File Upload in SigmaForms Pro – AI Generated Forms <= 1.4.5 versions.

CVSS v3.1: 9.0
Severity: CRITICAL
Fixed in: —
Affected Products: 1

HarborGuard Analysis

Synopsis

An arbitrary file upload vulnerability affects the SigmaForms Pro AI Generated Forms WordPress plugin at version 1.4.5 and earlier. The flaw is reachable over the network without any authentication, and exploitation requires satisfying certain environmental or race conditions given the high attack complexity rating. Successful exploitation gives an attacker full control over confidentiality, integrity, and availability of the affected system, including the ability to upload and execute arbitrary code. No fix version has been published yet; HarborGuard tracks this advisory and will make a patched rebuild available the moment upstream ships a fix.

HarborGuard Coverage

Detection

Detection is available across every HarborGuard environment: the CVE is ingested from upstream feeds, including the Patchstack advisory feed, within minutes of publication and matched against customer images that include this plugin, including custom-built WordPress images. Any image layer containing the SigmaForms Pro plugin at an affected version is flagged automatically.

Available

Triage

HarborGuard surfaces this CVE with its CVSS 3.1 score of 9.0 (CRITICAL) and applies per-environment compliance policy weighting to determine urgency and routing. Findings are directed to the appropriate team inbox within each customer organization based on configured ownership rules.

Available

Patch

Because no upstream fix version has been published, HarborGuard re-checks this advisory on every ingest cycle and will make a patched-image rebuild available automatically the moment a fix is released. In the meantime, customers can apply compensating controls through HarborGuard policy rules, such as network-policy isolation for affected workloads, to reduce exposure while the upstream maintainer works toward a patch.

Pending upstream

Exploit Conditions

Network reachabilityRequired
The plugin endpoint is exposed over the network, so an attacker must be able to reach the WordPress HTTP service to exploit this vulnerability.
AuthenticationNot required
No account or credentials of any kind are required; the vulnerable file upload endpoint is accessible to unauthenticated requests.
Victim interactionNot required
The attacker acts entirely autonomously against the server-side endpoint; no user action is needed to trigger the vulnerability.
Attack complexityDetail
Attack complexity is rated High, meaning exploitation depends on environmental factors such as specific server configurations, race conditions, or file-handling behaviors that the attacker cannot fully control but must account for.

Blast Radius

A successful attacker uploads and executes arbitrary server-side code, gaining a remote shell on the host running the WordPress application.
With a remote shell in place, the attacker reads all stored data including database credentials, session tokens, form submissions, and any files accessible to the web server process.
The attacker modifies or deletes any file the web server process can write, including WordPress core files, plugin files, and stored user data.
The attacker can crash or destabilize the application server, causing a full service outage for the affected WordPress installation.

How HarborGuard Handles This

Available on HarborGuard: because no upstream patch exists for CVE-2026-52705 at this time, HarborGuard monitors the Patchstack advisory on every ingest cycle and will trigger a patched-image rebuild automatically as soon as a fix version is published. For customers with auto-remediation enabled, that rebuild will be followed by a regression-test run and a PR opened against affected workloads, with no manual intervention required. While awaiting a patch, HarborGuard recommends applying network-policy isolation to restrict inbound HTTP access to affected WordPress workloads, using egress filtering to limit outbound connections from the web server process (reducing the utility of a webshell), and evaluating whether the SigmaForms Pro plugin can be disabled at the feature or container-config level until the maintainer ships a fix. The advisory will be re-evaluated and the finding status updated on every ingest cycle.

See how HarborGuard automates this

Affected packages

BDthemes / SigmaForms Pro – AI Generated Forms
≤ 1.4.5

CVSS Vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H

References

patchstack.com

Metrics

Get notified