PT-2024-34438 · WordPress · The Hash Form – Drag & Drop Form Builder

Francesco Carlucci

Published

2024-05-23

Updated

2025-07-31

CVE-2024-5084

CVSS v3.1

9.8

Critical

Vector

AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Name of the Vulnerable Software and Affected Versions: The Hash Form – Drag & Drop Form Builder plugin for WordPress versions up to, and including, 1.1.0

Description: The issue arises from missing file type validation in the file upload action function, allowing unauthenticated attackers to upload arbitrary files to the affected site's server. This could potentially lead to remote code execution.

Recommendations: For versions up to, and including, 1.1.0, update to a version that includes a fix for the missing file type validation in the file upload action function. As a temporary workaround, consider disabling the file upload action function until a patch is available.

Exploit

Fix

RCE

Unrestricted File Upload

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-434

Related Identifiers

CVE-2024-5084

Affected Products

The Hash Form – Drag & Drop Form Builder

PT-2024-34438 · WordPress · The Hash Form – Drag & Drop Form Builder

CVE-2024-5084

Weakness Enumeration

Related Identifiers

Affected Products

References · 11