CVE-2021-24223

Name of the Vulnerable Software and Affected Versions: N5 Upload Form WordPress plugin versions 1.0 and earlier

Description: The issue allows for arbitrary file upload in pages where a form from the plugin is embedded, enabling any file to be uploaded. The filename is generated using md5(uniqid(rand())), making it difficult to guess. However, if the server is misconfigured with directory listing enabled, accessing the uploaded file becomes straightforward.

Recommendations: For N5 Upload Form WordPress plugin versions 1.0 and earlier, update to a version that addresses the arbitrary file upload issue. As a temporary workaround, consider disabling the file upload functionality in the plugin until a patch is available. Restrict access to the directory where uploaded files are stored to minimize the risk of exploitation.