Lucene search

[email protected]NVD:CVE-2024-7775

HistoryAug 20, 2024 - 4:15 a.m.

CVE-2024-7775

2024-08-2004:15:10

CWE-79

[email protected]

web.nvd.nist.gov

contact form

bit form

multi step form

calculation contact form

payment contact form

custom contact form

wordpress

vulnerable

javascript file uploads

input validation

arbitrary

authenticated attackers

administrator-level access

CVSS3

4.8

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

HIGH

User Interaction

REQUIRED

Scope

CHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N

EPSS

Percentile

14.6%

JSON

The Contact Form by Bit Form: Multi Step Form, Calculation Contact Form, Payment Contact Form & Custom Contact Form builder plugin for WordPress is vulnerable to arbitrary JavaScript file uploads due to missing input validation in the addCustomCode function in versions 2.0 to 2.13.9. This makes it possible for authenticated attackers, with Administrator-level access and above, to upload arbitrary JavaScript files to the affected site’s server.

Affected configurations

Nvd

Node

bitappscontact_form_builderRange2.0.0–2.13.10wordpress

VendorProductVersionCPE
bitappscontact_form_builder*cpe:2.3:a:bitapps:contact_form_builder:*:*:*:*:*:wordpress:*:*

Vendor	Product	Version	CPE
bitapps	contact_form_builder	*	cpe:2.3:a:bitapps:contact_form_builder::::::wordpress::*

References

plugins.trac.wordpress.org/browser/bit-form/tags/2.13.6/includes/Admin/AdminAjax.php#L1314

www.wordfence.com/threat-intel/vulnerabilities/id/3936d7dc-840e-41fc-8af4-db40c0cff660?source=cve