Easy Form Builder <= 1.0 - Authenticated Arbitrary File Upload
CVE-2021-24224

8.8HIGH

Key Information:

Vendor: Wordpress
Status: Easy Form Builder
Vendor: CVE Published:; 12 April 2021

Summary

The EFBP_verify_upload_file AJAX action of the Easy Form Builder WordPress plugin through 1.0, available to authenticated users, does not have any security in place to verify uploaded files, allowing low privilege users to upload arbitrary files, leading to RCE.

Affected Version(s)

Easy Form Builder 1.0

References

https://wpscan.com/vulnerability/ed0c054b-54bf-4df8-9015-...

x_refsource_CONFIRM

https://github.com/jinhuang1102/CVE-ID-Reports/blob/e4c33...

x_refsource_MISC

CVSS V3.1

Score:

8.8

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
Apr 12, 2021
Vulnerability Reserved
Jan 14, 2021

Credit

Jin Huang