Arbitrary File Upload Vulnerability in Funnelforms Free Plugin for WordPress
CVE-2024-6311
7.2HIGH
Key Information:
- Vendor
- Wordpress
- Status
- Vendor
- CVE Published:
- 28 August 2024
Summary
The Funnelforms Free plugin for WordPress has a vulnerability that allows for arbitrary file uploads due to inadequate file type validation in the 'af2_add_font' function. This vulnerability affects all versions of the plugin up to and including version 3.7.3.2. Authenticated attackers with administrator-level permissions can exploit this weakness to upload unauthorized files to the server, raising the risk of remote code execution. Website administrators are advised to update to the latest version to mitigate this security risk.
Affected Version(s)
Interactive Contact Form and Multi Step Form Builder with Drag & Drop Editor – Funnelforms Free * <= 3.7.3.2
References
CVSS V3.1
Score:
7.2
Severity:
HIGH
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
High
User Interaction:
None
Scope:
Unchanged
Timeline
Vulnerability published
Vulnerability Reserved
Credit
István Márton