The Forminator plugin for WordPress is vulnerable to arbitrary file uploads due to file type validation occurring after a file has been uploaded to the server in the upload_post_image() function in versions up to, and including, 1.24.6. This makes it possible for unauthenticated attackers to upload arbitrary files on the affected site's server which may make remote code execution possible.
References
Link | Resource |
---|---|
https://plugins.trac.wordpress.org/changeset/2954409/forminator/trunk/library/fields/postdata.php | Patch |
https://www.exploit-db.com/exploits/51664 | Exploit Third Party Advisory VDB Entry |
https://www.wordfence.com/threat-intel/vulnerabilities/id/9cd87da6-1f4c-4a15-8ebb-6e0f8ef72513?source=cve | Third Party Advisory |
https://plugins.trac.wordpress.org/changeset/2954409/forminator/trunk/library/fields/postdata.php | Patch |
https://www.exploit-db.com/exploits/51664 | Exploit Third Party Advisory VDB Entry |
https://www.wordfence.com/threat-intel/vulnerabilities/id/9cd87da6-1f4c-4a15-8ebb-6e0f8ef72513?source=cve | Third Party Advisory |
Configurations
History
21 Nov 2024, 08:35
Type | Values Removed | Values Added |
---|---|---|
New CVE |
Information
Published : 2023-08-30 02:15
Updated : 2024-11-21 08:35
NVD link : CVE-2023-4596
Mitre link : CVE-2023-4596
CVE.ORG link : CVE-2023-4596
JSON object : View
Products Affected
incsub
- forminator
CWE
No CWE.