PT-2023-4778 · WordPress · Forminator
Mehmet
·
Published
2023-07-20
·
Updated
2023-09-06
·
CVE-2023-4596
CVSS v2.0
10
Critical
| Vector | AV:N/AC:L/Au:N/C:C/I:C/A:C |
Name of the Vulnerable Software and Affected Versions
Forminator plugin for WordPress versions up to, and including, 1.24.6
Description
The Forminator plugin for WordPress is vulnerable to arbitrary file uploads due to file type validation occurring after a file has been uploaded to the server in the
upload post image() function. This makes it possible for unauthenticated attackers to upload arbitrary files on the affected site's server, which may make remote code execution possible. The vulnerability affects over 400,000 sites.Recommendations
For Forminator plugin for WordPress versions up to, and including, 1.24.6:
Update to a version later than 1.24.6 to resolve the issue.
As a temporary workaround, consider disabling the
upload post image() function until a patch is available.
Restrict access to the upload functionality to minimize the risk of exploitation.Exploit
Fix
RCE
Unrestricted File Upload
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Forminator