File Upload Vulnerability in Hash Form's Drag & Drop Form Builder
CVE-2024-9417

6.1MEDIUM

Key Information:

Vendor: Hashthemes
Status: Hash Form – Drag & Drop Form Builder
Vendor: CVE Published:; 5 October 2024

Summary

The Hash Form – Drag & Drop Form Builder plugin for WordPress is affected by a vulnerability that allows unauthenticated attackers to perform limited file uploads. This issue arises from a flaw in the file type validation within the 'handleUpload' function. Versions of the plugin up to and including 1.1.9 are impacted, permitting malicious file types to bypass both 'allowedExtensions' and 'unallowed_extensions' arrays. As a result, attackers may upload files that could contain harmful content, including cross-site scripting payloads, posing significant security risks to the affected WordPress sites.

Affected Version(s)

Hash Form – Drag & Drop Form Builder * <= 1.1.9

References

https://www.wordfence.com/threat-intel/vulnerabilities/id...

https://plugins.trac.wordpress.org/browser/hash-form/trun...

CVSS V3.1

Score:

6.1

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

Required

Scope:

Changed

Timeline

Vulnerability published
Oct 5, 2024
Vulnerability Reserved
Oct 1, 2024

Collectors

NVD DatabaseMitre Database

Credit

Rein Daelman