CVE-2024-6312

Name of the Vulnerable Software and Affected Versions: Funnelforms Free plugin for WordPress versions up to, and including, 3.7.3.2

Description: The issue is related to arbitrary file deletion due to the plugin not properly validating a file or its path prior to deletion. This is made possible via the af2DeleteFontFile function, allowing unauthenticated attackers to delete arbitrary files, including the wp-config.php file, which can lead to site takeover and remote code execution.

Recommendations: For versions up to, and including, 3.7.3.2, update to a version higher than 3.7.3.2 to resolve the issue. As a temporary workaround, consider disabling the af2DeleteFontFile function until a patch is available. Restrict access to sensitive files, such as wp-config.php, to minimize the risk of exploitation.