PT-2021-15768 · WordPress · Easy Form Builder
Jin Huang
·
Published
2021-04-12
·
Updated
2021-04-20
·
CVE-2021-24224
CVSS v3.1
8.8
High
| Vector | AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H |
Name of the Vulnerable Software and Affected Versions:
Easy Form Builder WordPress plugin versions 1.0 and earlier
Description:
The issue concerns the EFBP verify upload file AJAX action, which lacks security measures to verify uploaded files. This allows low-privilege users who are authenticated to upload arbitrary files, potentially leading to remote code execution (RCE).
Recommendations:
For Easy Form Builder WordPress plugin versions 1.0 and earlier, consider disabling the EFBP verify upload file AJAX action until a patch is available to prevent the upload of arbitrary files. Restrict access to file upload functionality for low-privilege users to minimize the risk of exploitation.
Exploit
Fix
RCE
Unrestricted File Upload
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Easy Form Builder