The Forminator plugin for WordPress is vulnerable to arbitrary file uploads due to insufficient blacklisting on the 'forminator_allowed_mime_types' function in versions up to, and including, 1.27.0. This makes it possible for authenticated attackers with administrator-level capabilities or above to upload arbitrary files on the affected site's server, but due to the htaccess configuration, remote code cannot be executed.
References
Configurations
History
21 Nov 2024, 08:43
Type | Values Removed | Values Added |
---|---|---|
CVSS |
v2 : v3 : |
v2 : unknown
v3 : 6.6 |
References | () https://plugins.trac.wordpress.org/browser/forminator/tags/1.27.0/library/fields/upload.php#L356 - Issue Tracking | |
References | () https://plugins.trac.wordpress.org/browser/forminator/tags/1.27.0/library/fields/upload.php#L372 - Issue Tracking | |
References | () https://plugins.trac.wordpress.org/changeset/2995007/forminator/trunk/library/helpers/helper-fields.php#file0 - Patch | |
References | () https://www.wordfence.com/threat-intel/vulnerabilities/id/13cfa202-ab90-46c0-ab53-00995bfdcaa3?source=cve - Third Party Advisory |
30 Nov 2023, 14:52
Type | Values Removed | Values Added |
---|---|---|
New CVE |
Information
Published : 2023-11-15 07:15
Updated : 2024-11-21 08:43
NVD link : CVE-2023-6133
Mitre link : CVE-2023-6133
CVE.ORG link : CVE-2023-6133
JSON object : View
Products Affected
incsub
- forminator
CWE
CWE-434
Unrestricted Upload of File with Dangerous Type