CVSS: 4.3EPSS: 0%CPEs: 1EXPL: 0CVE-2024-12201 – Hash Form <= 1.2.1 - Missing Authorization to Authenticated (Contributor+) Form Style Creation
https://notcve.org/view.php?id=CVE-2024-12201
11 Dec 2024 — The Hash Form – Drag & Drop Form Builder plugin for WordPress is vulnerable to unauthorized access due to a missing capability check when creating form styles in all versions up to, and including, 1.2.1. This makes it possible for authenticated attackers, with Contributor-level access and above, to create new form styles. • https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3205245%40hash-form&new=3205245%40hash-form&sfp_email=&sfph_mail= • CWE-862: Missing Authorization •
CVSS: 6.4EPSS: 0%CPEs: 1EXPL: 0CVE-2024-9417 – Hash Form - Drag & Drop Form Builder <= 1.1.9 - Unauthenticated Limited File Upload
https://notcve.org/view.php?id=CVE-2024-9417
04 Oct 2024 — The Hash Form – Drag & Drop Form Builder plugin for WordPress is vulnerable to limited file uploads due to a misconfigured file type validation in the 'handleUpload' function in all versions up to, and including, 1.1.9. This makes it possible for unauthenticated attackers to upload files that are excluded from both the 'allowedExtensions' and 'unallowed_extensions' arrays on the affected site's server, including files that may contain cross-site scripting. • https://plugins.trac.wordpress.org/browser/hash-form/trunk/admin/classes/HashFormUploader.php#L107 • CWE-434: Unrestricted Upload of File with Dangerous Type •
CVSS: 10.0EPSS: 0%CPEs: 1EXPL: 6CVE-2024-5084 – Hash Form – Drag & Drop Form Builder <= 1.1.0 - Unauthenticated Arbitrary File Upload to Remote Code Execution
https://notcve.org/view.php?id=CVE-2024-5084
22 May 2024 — The Hash Form – Drag & Drop Form Builder plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the 'file_upload_action' function in all versions up to, and including, 1.1.0. This makes it possible for unauthenticated attackers to upload arbitrary files on the affected site's server which may make remote code execution possible. El complemento Hash Form – Drag & Drop Form Builder para WordPress es vulnerable a cargas de archivos arbitrarias debido a la falta ... • https://github.com/WOOOOONG/CVE-2024-5084 • CWE-434: Unrestricted Upload of File with Dangerous Type •
CVSS: 8.1EPSS: 0%CPEs: 1EXPL: 0CVE-2024-5085 – Hash Form – Drag & Drop Form Builder <= 1.1.0 - Unauthenticated PHP Object Injection
https://notcve.org/view.php?id=CVE-2024-5085
22 May 2024 — The Hash Form – Drag & Drop Form Builder plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 1.1.0 via deserialization of untrusted input in the 'process_entry' function. This makes it possible for unauthenticated attackers to inject a PHP Object. No known POP chain is present in the vulnerable software. If a POP chain is present via an additional plugin or theme installed on the target system, it could allow the attacker to delete arbitrary files, retrieve sensi... • https://plugins.trac.wordpress.org/browser/hash-form/trunk/admin/classes/HashFormEntry.php#L353 • CWE-502: Deserialization of Untrusted Data •