0Xbassia

The MagicForm WordPress plugin through 0.1.3 does not properly validate the type of files uploaded through an unauthenticated AJAX action when a form's per-field extension allowlist is left empty, allowing unauthenticated attackers to upload PHP files and execute arbitrary code on the server.

**Name of the Vulnerable Software and Affected Versions** Schema & Structured Data for WP & AMP versions prior to 1.60 **Description** The plugin fails to verify user capabilities within its frontend AJAX file-upload handlers and does not validate the actual content of uploaded files against the intended media type of the endpoint. This allows unauthenticated users to upload any file type supported by the WordPress media library through endpoints that are specifically intended to accept only images or videos. **Recommendations** Update to version 1.60 or later.

**Name of the Vulnerable Software and Affected Versions** form-data-objectizer versions prior to 1.0.1 **Description** The software fails to filter ` proto `, `constructor`, or `prototype` when converting FormData to objects using bracket-notation form keys. An attacker can submit a single HTTP form field with a name starting with ` proto [...]` to mutate `Object.prototype`, leading to prototype pollution across the entire Node.js process. This occurs within the `treatInitial()` and `treatSecond()` functions in `index.cjs`. This issue can be exploited to bypass security checks, inject configuration values, disrupt template rendering, or cause a denial of service by crashing the worker process. **Recommendations** Update to version 1.0.1.

**Name of the Vulnerable Software and Affected Versions** parse-nested-form-data versions prior to 1.0.1 **Description** The `parseFormData()` function processes bracket and dot-notation FormData field names into nested objects without filtering reserved property keys. An attacker can use a FormData field name that begins with ` proto ` or contains `. proto .` mid-path to cause the parser to traverse onto `Object.prototype` and assign properties there. This results in prototype pollution, where the prototype chain of every plain object in the running process is contaminated. The issue resides in the `handlePathPart()` function within `src/index.ts`, which fails to reject reserved keys during object-type path segment processing. This can lead to corrupted application state, altered control flow, or denial of service in applications that process attacker-controlled FormData, such as HTTP servers. **Recommendations** Update to version 1.0.1. As a temporary workaround, validate field names to ensure they do not contain ` proto `, `constructor`, or `prototype` before calling the `parseFormData()` function.

**Name of the Vulnerable Software and Affected Versions** deepobj versions prior to 1.0.3 **Description** Prototype pollution occurs when property paths contain ` proto `, `constructor`, or `prototype`. This issue arises when property paths are exposed as user input, allowing an attacker to modify the prototype of base object classes. **Recommendations** Update to version 1.0.3.

**Name of the Vulnerable Software and Affected Versions** RVF versions 6.0.0 through 6.0.3 RVF versions 7.0.0 through 7.0.1 **Description** The `setPath` function in `@rvf/set-get` (used by `@rvf/core` to flatten incoming form data into a nested object) fails to block the keys ` proto `, `constructor`, or `prototype` when walking a path. Because field names in submitted form data are passed directly to `setPath` via `preprocessFormData` (and through `parseFormData` or `validate`), an attacker can set arbitrary properties on `Object.prototype` of the running server process. This is a prototype pollution primitive—a condition where an attacker can manipulate the prototype of base objects to change the behavior of the application—that is reachable by default without special configuration. Any endpoint that accepts a form via `parseFormData` or runs a validator created with `createValidator()` is affected. This can lead to bypassing security checks, injecting unintended configuration values, breaking template rendering, or causing a denial of service by crashing the worker process. **Recommendations** Update RVF versions 6.0.0 through 6.0.3 to version 6.0.4. Update RVF versions 7.0.0 through 7.0.1 to version 7.0.2.