CVE-2023-6133

4.9MEDIUM

Key Information:

Vendor
wpmudev
Status
Forminator – Contact Form, Payment Form & Custom Form Builder
Vendor
CVE Published:
15 November 2023

Summary

The Forminator plugin for WordPress is vulnerable to arbitrary file uploads due to insufficient blacklisting on the 'forminator_allowed_mime_types' function in versions up to, and including, 1.27.0. This makes it possible for authenticated attackers with administrator-level capabilities or above to upload arbitrary files on the affected site's server, but due to the htaccess configuration, remote code cannot be executed.

Affected Version(s)

Forminator – Contact Form, Payment Form & Custom Form Builder * <= 1.27.0

References

https://www.wordfence.com/threat-intel/vulnerabilities/id...
https://plugins.trac.wordpress.org/browser/forminator/tag...
https://plugins.trac.wordpress.org/browser/forminator/tag...

CVSS V3.1

Score:
4.9
Severity:
MEDIUM
Confidentiality:
None
Integrity:
High
Availability:
None
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
High
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Collectors

NVD DatabaseMitre Database

Credit

István Márton
.