CVE-2024-7782

The Contact Form by Bit Form: Multi Step Form, Calculation Contact Form, Payment Contact Form & Custom Contact Form builder plugin for WordPress is vulnerable to arbitrary file deletion due to insufficient file path validation in the iconRemove function in versions 2.0 to 2.13.4. This makes it possible for authenticated attackers, with Administrator-level access and above, to delete arbitrary files on the server, which can easily lead to remote code execution when the right file is deleted (such as wp-config.php).
Configurations

Configuration 1 (hide)

cpe:2.3:a:bitapps:contact_form_builder:*:*:*:*:*:wordpress:*:*

History

26 Aug 2024, 18:21

Type Values Removed Values Added
CVSS v2 : unknown
v3 : 8.7
v2 : unknown
v3 : 6.5
References () https://plugins.trac.wordpress.org/browser/bit-form/tags/2.13.0/includes/Admin/AdminAjax.php#L1271 - () https://plugins.trac.wordpress.org/browser/bit-form/tags/2.13.0/includes/Admin/AdminAjax.php#L1271 - Patch
References () https://www.wordfence.com/threat-intel/vulnerabilities/id/d4da8ead-326f-4c93-b56d-8bfa643d7906?source=cve - () https://www.wordfence.com/threat-intel/vulnerabilities/id/d4da8ead-326f-4c93-b56d-8bfa643d7906?source=cve - Third Party Advisory
CPE cpe:2.3:a:bitapps:contact_form_builder:*:*:*:*:*:wordpress:*:*
First Time Bitapps contact Form Builder
Bitapps

20 Aug 2024, 15:44

Type Values Removed Values Added
Summary
  • (es) El complemento Contact Form by Bit Form: Multi Step Form, Calculation Contact Form, Payment Contact Form & Custom Contact Form builder para WordPress es vulnerable a la eliminación arbitraria de archivos debido a una validación insuficiente de la ruta del archivo en la función iconRemove en las versiones 2.0 a 2.13.4. Esto hace posible que atacantes autenticados, con acceso de nivel de administrador y superior, eliminen archivos arbitrarios en el servidor, lo que puede conducir fácilmente a la ejecución remota de código cuando se elimina el archivo correcto (como wp-config.php).

20 Aug 2024, 04:15

Type Values Removed Values Added
New CVE

Information

Published : 2024-08-20 04:15

Updated : 2024-08-26 18:21


NVD link : CVE-2024-7782

Mitre link : CVE-2024-7782

CVE.ORG link : CVE-2024-7782


JSON object : View

Products Affected

bitapps

  • contact_form_builder
CWE
CWE-22

Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')