PT-2024-16465 · WordPress · Contact Form Entries

István Márton

Published

2024-01-30

Updated

2024-02-06

CVE-2024-1069

CVSS v3.1

7.2

High

Vector

AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

Name of the Vulnerable Software and Affected Versions Contact Form Entries plugin for WordPress versions up to, and including, 1.3.2

Description The issue is related to arbitrary file uploads due to insufficient file validation on the view page function. This allows authenticated attackers with administrator-level capabilities or above to upload arbitrary files on the affected site's server, which may make remote code execution possible.

Recommendations For versions up to, and including, 1.3.2, update to a version that fixes the insufficient file validation issue in the view page function to prevent arbitrary file uploads. As a temporary workaround, consider restricting access to the view page function until a patch is available.

Fix

RCE

Unrestricted File Upload

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-434

Related Identifiers

CVE-2024-1069

Affected Products

Contact Form Entries

PT-2024-16465 · WordPress · Contact Form Entries

CVE-2024-1069

Weakness Enumeration

Related Identifiers

Affected Products

References · 10