CVE-2024-6311

Name of the Vulnerable Software and Affected Versions: Funnelforms Free plugin for WordPress versions up to, and including, 3.7.3.2

Description: The issue is related to arbitrary file uploads due to missing file type validation in the af2 add font function. This allows authenticated attackers with administrator-level and above permissions to upload arbitrary files on the affected site's server, potentially making remote code execution possible.

Recommendations: For versions up to, and including, 3.7.3.2, consider disabling the af2 add font function until a patch is available to prevent arbitrary file uploads. Restrict access to the plugin's file upload functionality to minimize the risk of exploitation. Avoid using the Funnelforms Free plugin until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.