CVE-2024-32705 – WordPress ARForms plugin <= 6.4 - Subscriber+ Arbitrary Plugin Activation/Deactivation Vulnerability
https://notcve.org/view.php?id=CVE-2024-32705
Missing Authorization vulnerability in reputeinfosystems ARForms.This issue affects ARForms: from n/a through 6.4. Vulnerabilidad de autorización faltante en reputeinfosystems ARForms. Este problema afecta a ARForms: desde n/a hasta 6.4. The ARforms plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on a function in all versions up to, and including, 6.4. This makes it possible for authenticated attackers, with subscriber-level access and above, to activate and deactivate arbitrary plugins. • https://patchstack.com/database/vulnerability/arforms/wordpress-arforms-plugin-6-4-subscriber-arbitrary-plugin-activation-deactivation-vulnerability?_s_id=cve • CWE-862: Missing Authorization •
CVE-2019-16902 – ARforms <= 3.7.1 - Unauthenticated Arbitrary File Deletion
https://notcve.org/view.php?id=CVE-2019-16902
In the ARforms plugin 3.7.1 for WordPress, arf_delete_file in arformcontroller.php allows unauthenticated deletion of an arbitrary file by supplying the full pathname. En el plugin Arforms versión 3.7.1 para WordPress, la función arf_delete_file en el archivo arformcontroller.php permite la eliminación no autenticada de un archivo arbitrario mediante el suministro del nombre de ruta completo. • https://www.exploit-db.com/exploits/47443 http://almorabea.net/cve-2019-16902.txt https://www.arformsplugin.com/documentation/changelog • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •