Arbitrary File Upload Vulnerability in Funnelforms Free Plugin for WordPress
CVE-2024-6311

7.2HIGH

Summary

The Funnelforms Free plugin for WordPress has a vulnerability that allows for arbitrary file uploads due to inadequate file type validation in the 'af2_add_font' function. This vulnerability affects all versions of the plugin up to and including version 3.7.3.2. Authenticated attackers with administrator-level permissions can exploit this weakness to upload unauthorized files to the server, raising the risk of remote code execution. Website administrators are advised to update to the latest version to mitigate this security risk.

Affected Version(s)

Interactive Contact Form and Multi Step Form Builder with Drag & Drop Editor – Funnelforms Free * <= 3.7.3.2

References

CVSS V3.1

Score:
7.2
Severity:
HIGH
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
High
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

István Márton
.