Search
Find a vulnerability
Search criteria
ⓘ
Use this form to refine search results.
Full-text search supports keyword queries with ranking and filtering.
You can combine vendor, product, and sources to narrow results.
Enable “Apply ordering” to sort by date instead of relevance.
4 vulnerabilities by themecatcher
CVE-2026-56058 (GCVE-0-2026-56058)
Vulnerability from nvd – Published: 2026-06-26 14:52 – Updated: 2026-06-26 17:43
VLAI
EPSS
VEX
Title
WordPress Quform plugin <= 2.23.0 - Arbitrary File Upload vulnerability
Summary
Subscriber Arbitrary File Upload in Quform <= 2.23.0 versions.
Severity
9.9 (Critical)
SSVC
Exploitation: none
Automatable: no
Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
- CWE-434 - Unrestricted Upload of File with Dangerous Type
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://patchstack.com/database/wordpress/plugin/… | vdb-entry |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| ThemeCatcher | Quform |
Affected:
n/a , ≤ 2.23.0
(custom)
|
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-56058",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-06-26T17:33:59.356036Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-26T17:43:18.868Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://wordpress.org/plugins",
"defaultStatus": "unaffected",
"packageName": "quform",
"product": "Quform",
"vendor": "ThemeCatcher",
"versions": [
{
"changes": [
{
"at": "2.23.1",
"status": "unaffected"
}
],
"lessThanOrEqual": "2.23.0",
"status": "affected",
"version": "n/a",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"user": "00000000-0000-4000-9000-000000000000",
"value": "daroo | Patchstack Bug Bounty Program"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Subscriber Arbitrary File Upload in Quform \u003c= 2.23.0 versions."
}
],
"value": "Subscriber Arbitrary File Upload in Quform \u003c= 2.23.0 versions."
}
],
"impacts": [
{
"capecId": "CAPEC-253",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-253 Remote Code Inclusion"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.9,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-434",
"description": "CWE-434 Unrestricted Upload of File with Dangerous Type",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-26T14:52:46.731Z",
"orgId": "21595511-bba5-4825-b968-b78d1f9984a3",
"shortName": "Patchstack"
},
"references": [
{
"tags": [
"vdb-entry"
],
"url": "https://patchstack.com/database/wordpress/plugin/quform/vulnerability/wordpress-quform-plugin-2-23-0-arbitrary-file-upload-vulnerability?_s_id=cve"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Update the WordPress Quform Plugin to the latest available version (at least 2.23.1)."
}
],
"value": "Update the WordPress Quform Plugin to the latest available version (at least 2.23.1)."
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "WordPress Quform plugin \u003c= 2.23.0 - Arbitrary File Upload vulnerability",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3",
"assignerShortName": "Patchstack",
"cveId": "CVE-2026-56058",
"datePublished": "2026-06-26T14:52:46.731Z",
"dateReserved": "2026-06-18T14:38:04.421Z",
"dateUpdated": "2026-06-26T17:43:18.868Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2024-8756 (GCVE-0-2024-8756)
Vulnerability from nvd – Published: 2024-11-09 05:40 – Updated: 2026-04-08 17:19
VLAI
EPSS
VEX
Title
Quform - WordPress Form Builder <= 2.20.0 - Unauthenticated Sensitive Information Exposure
Summary
The Quform - WordPress Form Builder plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 2.20.0 via the 'saveUploadedFile' function. This makes it possible for unauthenticated attackers to extract sensitive data, such as Personally Identifiable Information, from files uploaded by users. Files uploaded via forms created before version 2.21.0 will remain vulnerable to exposure after upgrading. To fully patch the plugin, site administrators should download any previously uploaded files, delete previously existing files and forms, and create the forms again after upgrading to version 2.21.0.
Severity
5.3 (Medium)
SSVC
Exploitation: none
Automatable: yes
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-200 - Exposure of Sensitive Information to an Unauthorized Actor
Assigner
References
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| ThemeCatcher | Quform - WordPress Form Builder |
Affected:
0 , ≤ 2.20.0
(semver)
|
|
| themecatcher | quform |
Affected:
0 , ≤ 2.20.0
(semver)
cpe:2.3:a:themecatcher:quform:*:*:*:*:*:*:*:* |
Credits
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:a:themecatcher:quform:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "quform",
"vendor": "themecatcher",
"versions": [
{
"lessThanOrEqual": "2.20.0",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-8756",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-11-12T16:07:54.483636Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-11-12T18:40:56.811Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Quform - WordPress Form Builder",
"vendor": "ThemeCatcher",
"versions": [
{
"lessThanOrEqual": "2.20.0",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Khayal Farzaliyev"
}
],
"descriptions": [
{
"lang": "en",
"value": "The Quform - WordPress Form Builder plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 2.20.0 via the \u0027saveUploadedFile\u0027 function. This makes it possible for unauthenticated attackers to extract sensitive data, such as Personally Identifiable Information, from files uploaded by users. Files uploaded via forms created before version 2.21.0 will remain vulnerable to exposure after upgrading. To fully patch the plugin, site administrators should download any previously uploaded files, delete previously existing files and forms, and create the forms again after upgrading to version 2.21.0."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-200",
"description": "CWE-200 Exposure of Sensitive Information to an Unauthorized Actor",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-08T17:19:18.089Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/beb8ea66-3cd7-452f-9e64-8439de0ddc55?source=cve"
},
{
"url": "https://codecanyon.net/item/quform-wordpress-form-builder/706149"
}
],
"timeline": [
{
"lang": "en",
"time": "2024-11-08T00:00:00.000Z",
"value": "Disclosed"
}
],
"title": "Quform - WordPress Form Builder \u003c= 2.20.0 - Unauthenticated Sensitive Information Exposure"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2024-8756",
"datePublished": "2024-11-09T05:40:23.254Z",
"dateReserved": "2024-09-12T16:15:17.805Z",
"dateUpdated": "2026-04-08T17:19:18.089Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-56058 (GCVE-0-2026-56058)
Vulnerability from cvelistv5 – Published: 2026-06-26 14:52 – Updated: 2026-06-26 17:43
VLAI
EPSS
VEX
Title
WordPress Quform plugin <= 2.23.0 - Arbitrary File Upload vulnerability
Summary
Subscriber Arbitrary File Upload in Quform <= 2.23.0 versions.
Severity
9.9 (Critical)
SSVC
Exploitation: none
Automatable: no
Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
- CWE-434 - Unrestricted Upload of File with Dangerous Type
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://patchstack.com/database/wordpress/plugin/… | vdb-entry |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| ThemeCatcher | Quform |
Affected:
n/a , ≤ 2.23.0
(custom)
|
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-56058",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-06-26T17:33:59.356036Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-26T17:43:18.868Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://wordpress.org/plugins",
"defaultStatus": "unaffected",
"packageName": "quform",
"product": "Quform",
"vendor": "ThemeCatcher",
"versions": [
{
"changes": [
{
"at": "2.23.1",
"status": "unaffected"
}
],
"lessThanOrEqual": "2.23.0",
"status": "affected",
"version": "n/a",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"user": "00000000-0000-4000-9000-000000000000",
"value": "daroo | Patchstack Bug Bounty Program"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Subscriber Arbitrary File Upload in Quform \u003c= 2.23.0 versions."
}
],
"value": "Subscriber Arbitrary File Upload in Quform \u003c= 2.23.0 versions."
}
],
"impacts": [
{
"capecId": "CAPEC-253",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-253 Remote Code Inclusion"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.9,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-434",
"description": "CWE-434 Unrestricted Upload of File with Dangerous Type",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-26T14:52:46.731Z",
"orgId": "21595511-bba5-4825-b968-b78d1f9984a3",
"shortName": "Patchstack"
},
"references": [
{
"tags": [
"vdb-entry"
],
"url": "https://patchstack.com/database/wordpress/plugin/quform/vulnerability/wordpress-quform-plugin-2-23-0-arbitrary-file-upload-vulnerability?_s_id=cve"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Update the WordPress Quform Plugin to the latest available version (at least 2.23.1)."
}
],
"value": "Update the WordPress Quform Plugin to the latest available version (at least 2.23.1)."
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "WordPress Quform plugin \u003c= 2.23.0 - Arbitrary File Upload vulnerability",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3",
"assignerShortName": "Patchstack",
"cveId": "CVE-2026-56058",
"datePublished": "2026-06-26T14:52:46.731Z",
"dateReserved": "2026-06-18T14:38:04.421Z",
"dateUpdated": "2026-06-26T17:43:18.868Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2024-8756 (GCVE-0-2024-8756)
Vulnerability from cvelistv5 – Published: 2024-11-09 05:40 – Updated: 2026-04-08 17:19
VLAI
EPSS
VEX
Title
Quform - WordPress Form Builder <= 2.20.0 - Unauthenticated Sensitive Information Exposure
Summary
The Quform - WordPress Form Builder plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 2.20.0 via the 'saveUploadedFile' function. This makes it possible for unauthenticated attackers to extract sensitive data, such as Personally Identifiable Information, from files uploaded by users. Files uploaded via forms created before version 2.21.0 will remain vulnerable to exposure after upgrading. To fully patch the plugin, site administrators should download any previously uploaded files, delete previously existing files and forms, and create the forms again after upgrading to version 2.21.0.
Severity
5.3 (Medium)
SSVC
Exploitation: none
Automatable: yes
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-200 - Exposure of Sensitive Information to an Unauthorized Actor
Assigner
References
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| ThemeCatcher | Quform - WordPress Form Builder |
Affected:
0 , ≤ 2.20.0
(semver)
|
|
| themecatcher | quform |
Affected:
0 , ≤ 2.20.0
(semver)
cpe:2.3:a:themecatcher:quform:*:*:*:*:*:*:*:* |
Credits
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:a:themecatcher:quform:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "quform",
"vendor": "themecatcher",
"versions": [
{
"lessThanOrEqual": "2.20.0",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-8756",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-11-12T16:07:54.483636Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-11-12T18:40:56.811Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Quform - WordPress Form Builder",
"vendor": "ThemeCatcher",
"versions": [
{
"lessThanOrEqual": "2.20.0",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Khayal Farzaliyev"
}
],
"descriptions": [
{
"lang": "en",
"value": "The Quform - WordPress Form Builder plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 2.20.0 via the \u0027saveUploadedFile\u0027 function. This makes it possible for unauthenticated attackers to extract sensitive data, such as Personally Identifiable Information, from files uploaded by users. Files uploaded via forms created before version 2.21.0 will remain vulnerable to exposure after upgrading. To fully patch the plugin, site administrators should download any previously uploaded files, delete previously existing files and forms, and create the forms again after upgrading to version 2.21.0."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-200",
"description": "CWE-200 Exposure of Sensitive Information to an Unauthorized Actor",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-08T17:19:18.089Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/beb8ea66-3cd7-452f-9e64-8439de0ddc55?source=cve"
},
{
"url": "https://codecanyon.net/item/quform-wordpress-form-builder/706149"
}
],
"timeline": [
{
"lang": "en",
"time": "2024-11-08T00:00:00.000Z",
"value": "Disclosed"
}
],
"title": "Quform - WordPress Form Builder \u003c= 2.20.0 - Unauthenticated Sensitive Information Exposure"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2024-8756",
"datePublished": "2024-11-09T05:40:23.254Z",
"dateReserved": "2024-09-12T16:15:17.805Z",
"dateUpdated": "2026-04-08T17:19:18.089Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}