CVE-2024-8756

Name of the Vulnerable Software and Affected Versions: The Quform - WordPress Form Builder plugin versions up to, and including, 2.20.0

Description: The issue allows unauthenticated attackers to extract sensitive data, such as Personally Identifiable Information, from files uploaded by users via the saveUploadedFile function. This makes it possible for attackers to access sensitive information. Files uploaded via forms created before version 2.21.0 will remain vulnerable to exposure after upgrading.

Recommendations: For versions up to, and including, 2.20.0, to fully patch the plugin, site administrators should download any previously uploaded files, delete previously existing files and forms, and create the forms again after upgrading to version 2.21.0. As a temporary workaround, consider disabling the saveUploadedFile function until a patch is available.