CVE-2026-56058: WordPress Quform plugin <= 2.23.0 - Arbitrary File Upload vulnerability
Subscriber Arbitrary File Upload in Quform <= 2.23.0 versions.
Metrics
- CVSS v3.1
- 9.9
- Severity
- CRITICAL
- Fixed in
- —
- Affected Products
- 1
HarborGuard Analysis
Synopsis
An arbitrary file upload vulnerability affects the WordPress Quform plugin at version 2.23.0 and earlier. The flaw is reachable over the network and requires only a low-privilege account (subscriber level), with no victim interaction needed, allowing an attacker to upload and execute arbitrary files on the server. Successful exploitation gives an attacker full read, write, and availability control over the affected system, including the ability to run remote code. HarborGuard is tracking this advisory and will make a patched-image rebuild available the moment an upstream fix is published.
HarborGuard Coverage
Detection for CVE-2026-56058 is available across every HarborGuard environment: the CVE is ingested from upstream feeds within minutes of publication and matched against customer images in registries and CI/CD pipelines, including custom-built images that bundle the Quform plugin.
AvailableHarborGuard is capable of scoring this CVE at CVSS 9.9 Critical and weighting it against each environment's compliance policy to surface it at the appropriate severity tier; routing to the right team inbox within each customer org is handled automatically based on policy configuration.
AvailableBecause no fix version has been published upstream, HarborGuard re-checks the advisory on every ingest cycle and will make a patched-image rebuild available automatically the moment ThemeCatcher ships a remediated release. For customers with auto-remediation enabled, the rebuild, regression test run, and PR against affected workloads will be triggered without manual intervention.
Pending upstreamExploit Conditions
- Network reachabilityRequired
The vulnerable endpoint is exposed over the network, so an attacker must be able to reach the WordPress installation via HTTP or HTTPS.
- AuthenticationRequired
Any low-privilege account (subscriber level or equivalent) is sufficient; no administrator credentials are needed.
- Victim interactionNot required
The attacker does not need to trick or involve any other user to complete the exploit.
- Attack complexityDetail
The exploit is reliable and condition-free: no race conditions, special memory layout, or environmental factors are required.
Blast Radius
- Attacker uploads and executes arbitrary server-side code, achieving remote code execution on the host running WordPress.
- All stored site content, user records, and credentials held in the database become readable to the attacker.
- Attacker can modify or delete any file or database row accessible to the web server process.
- The attacker can crash or render unavailable the WordPress application and any services sharing the same host.
How HarborGuard Handles This
Available on HarborGuard: this CVE is flagged as Critical (CVSS 9.9) with no upstream patch currently published, so the primary capability offered right now is continuous advisory monitoring. HarborGuard re-checks the Quform advisory on every ingest cycle and will surface a patched-image rebuild automatically the moment ThemeCatcher publishes a fix. In the interim, compensating controls worth considering include network-policy rules that restrict unauthenticated and low-privilege access to Quform upload endpoints, egress filtering to limit what an uploaded file can reach, and disabling the file-upload feature via Quform configuration if it is not required. For customers with auto-remediation enabled, once an upstream fix is available the full flow (rebuild, regression run, and PR against affected workloads) will trigger without manual steps, with median time from CVE publication to merged patch PR for critical-severity issues around 90 minutes in environments where that policy is active.
- ThemeCatcher / Quform≤ 2.23.0
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H