CVE-2023-36505
WordPress Ninja Forms Plugin <= 3.6.24 is vulnerable to Arbitrary File Deletion
Severity Score
Exploit Likelihood
Affected Versions
Public Exploits
0Exploited in Wild
-Decision
Descriptions
Improper Input Validation vulnerability in Saturday Drive Ninja Forms Contact Form.This issue affects Ninja Forms Contact Form : from n/a through 3.6.24.
Vulnerabilidad de validaciĆ³n de entrada incorrecta en Saturday Drive Ninja Forms Contact Form. Este problema afecta al formulario de contacto de Ninja Forms: desde n/a hasta 3.6.24.
The Ninja Forms plugin for WordPress is vulnerable to arbitrary file deletions in versions up to, and including, 3.6.24. This is due to insufficient restriction on the file path that can be supplied during file deletion. This makes it possible for authenticated attackers, with administrative-level access, to delete arbitrary files on the server. One such file that could be targeted is wp-config.php which if deleted can make it possible for an attacker to connect a site to their own database and ultimately achieve remote code execution on the server.
CVSS Scores
SSVC
- Decision:Track
Timeline
- 2023-06-22 CVE Reserved
- 2023-06-22 CVE Published
- 2024-04-18 EPSS Updated
- 2024-08-02 CVE Updated
- ---------- Exploited in Wild
- ---------- KEV Due Date
- ---------- First Exploit
CWE
- CWE-20: Improper Input Validation
- CWE-73: External Control of File Name or Path
CAPEC
References (1)
| URL | Date | SRC |
|---|
| URL | Date | SRC |
|---|
| URL | Date | SRC |
|---|
Affected Vendors, Products, and Versions
| Vendor | Product | Version | Other | Status | ||||||
|---|---|---|---|---|---|---|---|---|---|---|
| Vendor | Product | Version | Other | Status | <-- --> | Vendor | Product | Version | Other | Status |
| Ninja Forms Search vendor "Ninja Forms" | Ninja Forms Search vendor "Ninja Forms" for product "Ninja Forms" | >= 0.0.0 <= 3.6.24 Search vendor "Ninja Forms" for product "Ninja Forms" and version " >= 0.0.0 <= 3.6.24" | en |
Affected
| ||||||