CVE-2024-7775

{"id": "CVE-2024-7775", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "CHANGED", "version": "3.1", "baseScore": 4.8, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "HIGH", "confidentialityImpact": "LOW"}, "impactScore": 2.7, "exploitabilityScore": 1.7}, {"type": "Secondary", "source": "security@wordfence.com", "cvssData": {"scope": "CHANGED", "version": "3.1", "baseScore": 5.5, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:L/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "HIGH", "confidentialityImpact": "LOW"}, "impactScore": 2.7, "exploitabilityScore": 2.3}]}, "published": "2024-08-20T04:15:10.033", "references": [{"url": "https://plugins.trac.wordpress.org/browser/bit-form/tags/2.13.6/includes/Admin/AdminAjax.php#L1314", "tags": ["Patch"], "source": "security@wordfence.com"}, {"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/3936d7dc-840e-41fc-8af4-db40c0cff660?source=cve", "tags": ["Third Party Advisory"], "source": "security@wordfence.com"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-79"}]}, {"type": "Secondary", "source": "security@wordfence.com", "description": [{"lang": "en", "value": "CWE-79"}]}], "descriptions": [{"lang": "en", "value": "The Contact Form by Bit Form: Multi Step Form, Calculation Contact Form, Payment Contact Form & Custom Contact Form builder plugin for WordPress is vulnerable to arbitrary JavaScript file uploads due to missing input validation in the addCustomCode function in versions 2.0 to 2.13.9. This makes it possible for authenticated attackers, with Administrator-level access and above, to upload arbitrary JavaScript files to the affected site's server."}, {"lang": "es", "value": "El complemento Contact Form by Bit Form: Multi Step Form, Calculation Contact Form, Payment Contact Form & Custom Contact Form builder para WordPress es vulnerable a cargas arbitrarias de archivos JavaScript debido a la falta de validaci\u00f3n de entrada en la funci\u00f3n addCustomCode en las versiones 2.0 a 2.13.9. Esto hace posible que atacantes autenticados, con acceso de nivel de administrador y superior, carguen archivos JavaScript arbitrarios en el servidor del sitio afectado."}], "lastModified": "2024-08-26T18:18:22.887", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:bitapps:contact_form_builder:*:*:*:*:*:wordpress:*:*", "vulnerable": true, "matchCriteriaId": "CE5FAC6F-CAFC-45B1-88E0-5ACC3E56CBAB", "versionEndExcluding": "2.13.10", "versionStartIncluding": "2.0.0"}], "operator": "OR"}]}], "sourceIdentifier": "security@wordfence.com"}