CVE-2024-7447

The Interactive Contact Form and Multi Step Form Builder with Drag & Drop Editor – Funnelforms Free plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'fnsf_af2_handel_file_upload' function in all versions up to, and including, 3.7.3.2. This makes it possible for unauthenticated attackers to upload arbitrary media to the site, even if no forms exist.
Configurations

Configuration 1 (hide)

cpe:2.3:a:funnelforms:funnelforms_free:*:*:*:*:*:wordpress:*:*

History

13 Sep 2024, 19:33

Type Values Removed Values Added
Summary
  • (es) El complemento The Interactive Contact Form and Multi Step Form Builder with Drag & Drop Editor – Funnelforms Free para WordPress es vulnerable a la modificación no autorizada de datos debido a una falta de verificación de capacidad en la función 'fnsf_af2_handel_file_upload' en todas las versiones hasta la 3.7.3.2 incluida. Esto hace posible que atacantes no autenticados carguen contenido multimedia arbitrario en el sitio, incluso si no existen formularios.
CPE cpe:2.3:a:funnelforms:funnelforms_free:*:*:*:*:*:wordpress:*:*
First Time Funnelforms
Funnelforms funnelforms Free
References () https://plugins.trac.wordpress.org/browser/funnelforms-free/trunk/frontend/frontend.php#L2577 - () https://plugins.trac.wordpress.org/browser/funnelforms-free/trunk/frontend/frontend.php#L2577 - Product
References () https://plugins.trac.wordpress.org/changeset/3141470/ - () https://plugins.trac.wordpress.org/changeset/3141470/ - Patch
References () https://www.wordfence.com/threat-intel/vulnerabilities/id/9871f683-136e-45b5-90fb-a373a771014b?source=cve - () https://www.wordfence.com/threat-intel/vulnerabilities/id/9871f683-136e-45b5-90fb-a373a771014b?source=cve - Third Party Advisory

28 Aug 2024, 12:15

Type Values Removed Values Added
New CVE

Information

Published : 2024-08-28 12:15

Updated : 2024-09-13 19:33


NVD link : CVE-2024-7447

Mitre link : CVE-2024-7447

CVE.ORG link : CVE-2024-7447


JSON object : View

Products Affected

funnelforms

  • funnelforms_free
CWE
CWE-862

Missing Authorization