CVE-2024-4620
ArForms < 6.6 - Unauthenticated RCE
Severity Score
Exploit Likelihood
Affected Versions
Public Exploits
1Exploited in Wild
-Decision
Descriptions
The ARForms - Premium WordPress Form Builder Plugin WordPress plugin before 6.6 allows unauthenticated users to modify uploaded files in such a way that PHP code can be uploaded when an upload file input is included on a form
El complemento ARForms - Premium WordPress Form Builder para WordPress anterior a 6.6 permite a los usuarios no autenticados modificar los archivos cargados de tal manera que el código PHP se pueda cargar cuando se incluye una entrada de archivo de carga en un formulario.
The ARforms plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in all versions up to, and including, 6.5. This makes it possible for unauthenticated attackers to upload arbitrary files on the affected site's server which may make remote code execution possible.
CVSS Scores
SSVC
- Decision:Attend
Timeline
- 2024-05-07 CVE Reserved
- 2024-05-17 CVE Published
- 2024-06-07 EPSS Updated
- 2024-08-01 CVE Updated
- 2024-08-01 First Exploit
- ---------- Exploited in Wild
- ---------- KEV Due Date
CWE
- CWE-434: Unrestricted Upload of File with Dangerous Type
CAPEC
References (1)
| URL | Tag | Source |
|---|
| URL | Date | SRC |
|---|---|---|
| https://wpscan.com/vulnerability/dc34dc2d-d5a1-4e28-8507-33f659ead647 | 2024-08-01 |
| URL | Date | SRC |
|---|
| URL | Date | SRC |
|---|
Affected Vendors, Products, and Versions
| Vendor | Product | Version | Other | Status | ||||||
|---|---|---|---|---|---|---|---|---|---|---|
| Vendor | Product | Version | Other | Status | <-- --> | Vendor | Product | Version | Other | Status |
| Unknown Search vendor "Unknown" | ARForms - Premium WordPress Form Builder Plugin Search vendor "Unknown" for product "ARForms - Premium WordPress Form Builder Plugin" | < 6.6 Search vendor "Unknown" for product "ARForms - Premium WordPress Form Builder Plugin" and version " < 6.6" | en |
Affected
| ||||||