CVE-2024-6312 Funnelforms Free <= 3.7.3.2 - Authenticated (Administrator+) Arbitrary File Deletion

The Funnelforms Free plugin for WordPress is vulnerable to arbitrary file deletion in all versions up to, and including, 3.7.3.2 via the 'af2DeleteFontFile' function. This is due to the plugin not properly validating a file or its path prior to deleting it. This makes it possible for authenticate...

CVE-2024-6311

CVE-2024-6311 affects Interactive Contact Form and Multi Step Form Builder with Drag & Drop Editor – Funnelforms Free (WordPress) prior to 3.7.3.2. Root cause: missing file type validation in af2_add_font enables an authenticated user with Administrator+ rights to upload arbitrary files to the se...

CVE-2024-6312

CVE-2024-6312 affects the Funnelforms Free WordPress plugin (up to version 3.7.3.2). The flaw is in af2DeleteFontFile where the plugin does not validate the target file/path before deletion, allowing unauthenticated attackers to delete arbitrary files (including wp-config.php), enabling site take...

CVE-2024-6312 Funnelforms Free <= 3.7.3.2 - Authenticated (Administrator+) Arbitrary File Deletion

The Funnelforms Free plugin for WordPress is vulnerable to arbitrary file deletion in all versions up to, and including, 3.7.3.2 via the 'af2DeleteFontFile' function. This is due to the plugin not properly validating a file or its path prior to deleting it. This makes it possible for...

CVE-2024-6311 Funnelforms Free <= 3.7.3.2 - Authenticated (Administrator+) Arbitrary File Upload

The Funnelforms Free plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the 'af2addfont' function in all versions up to, and including, 3.7.3.2. This makes it possible for authenticated attackers, with administrator-level and above permissions, to...

WordPress Funnelforms Free plugin <= 3.7.3.2 - Missing Authorization to Unauthenticated Arbitrary Media Upload and Deletion vulnerability

Missing Authorization to Unauthenticated Arbitrary Media Upload and Deletion vulnerability discovered by Lucio Sá in WordPress Plugin Funnelforms Free versions = 3.7.3.2...

WordPress Funnelforms Free plugin <= 3.7.3.2 - Authenticated (Administrator+) Arbitrary File Deletion vulnerability

Authenticated Administrator+ Arbitrary File Deletion vulnerability discovered by István Márton in WordPress Plugin Funnelforms Free versions = 3.7.3.2...

WordPress Funnelforms Free plugin <= 3.7.3.2 - Authenticated (Administrator+) Arbitrary File Upload vulnerability

Authenticated Administrator+ Arbitrary File Upload vulnerability discovered by István Márton in WordPress Plugin Funnelforms Free versions = 3.7.3.2...

PT-2024-38357 · WordPress · Funnelforms Free

Name of the Vulnerable Software and Affected Versions: Funnelforms Free plugin for WordPress versions up to, and including, 3.7.3.2 Description: The issue is related to unauthorized modification of data due to a missing capability check on the fnsf af2 handel file upload function. This allows...

PT-2024-37196 · WordPress · Funnelforms Free

Name of the Vulnerable Software and Affected Versions: Funnelforms Free plugin for WordPress versions up to, and including, 3.7.3.2 Description: The issue allows unauthorized loss of data due to a missing capability check on the af2 handel file remove AJAX action. This makes it possible for...

WordPress plugin Funnelforms Free 路径遍历漏洞

WordPress and WordPress plugin are both products of the WordPress Foundation.WordPress is a set of blogging platforms developed using the PHP language. The platform supports setting up personal blog sites on servers with PHP and MySQL.WordPress plugin is an application plugin. A path traversal...

WordPress plugin Funnelforms Free 安全漏洞

WordPress and WordPress plugin are both products of the WordPress Foundation.WordPress is a blogging platform developed using the PHP language. The platform supports setting up personal blog sites on servers with PHP and MySQL.WordPress plugin is an application plug-in. A security vulnerability...

WordPress Funnelforms Free Plugin <= 3.7.3.2 is vulnerable to Broken Access Control

Software Funnelforms Free Type Plugin Vulnerable versions = 3.7.3.2 Fixed in 3.7.4.1 OWASP Top 10 A5: Broken Access Control Classification Broken Access Control CVE CVE-2024-7447 Patch priority Low CVSS severity Low 5.3 Developer Claim ownership PSID 87b385c8e3d6 Credits Lucio Sá Required privile...

WordPress Funnelforms Free Plugin <= 3.7.3.2 is vulnerable to Arbitrary File Deletion

Software Funnelforms Free Type Plugin Vulnerable versions = 3.7.3.2 Fixed in 3.7.4.1 OWASP Top 10 A1: Broken Access Control Classification Arbitrary File Deletion CVE CVE-2024-6312 Patch priority Low CVSS severity Low 5.5 Developer Claim ownership PSID 8300ca56d7fc Credits István Márton Required...

WordPress Funnelforms Free Plugin <= 3.7.3.2 is vulnerable to Arbitrary File Upload

Software Funnelforms Free Type Plugin Vulnerable versions = 3.7.3.2 Fixed in 3.7.4.1 OWASP Top 10 A1: Injection Classification Arbitrary File Upload CVE CVE-2024-6311 Patch priority Low CVSS severity Low 6.6 Developer Claim ownership PSID a49e53d16951 Credits István Márton Required privilege...

WordPress plugin Funnelforms Free 代码问题漏洞

WordPress and WordPress plugin are both products of the WordPress Foundation.WordPress is a blogging platform developed using the PHP language. The platform supports personal blog sites on servers running PHP and MySQL.WordPress plugin is an application plugin. A code issue vulnerability exists i...

PT-2024-37532 · WordPress · Funnelforms Free

Name of the Vulnerable Software and Affected Versions: Funnelforms Free plugin for WordPress versions up to, and including, 3.7.3.2 Description: The issue is related to arbitrary file uploads due to missing file type validation in the af2 add font function. This allows authenticated attackers wit...

PT-2024-37533 · WordPress · Funnelforms Free

Name of the Vulnerable Software and Affected Versions: Funnelforms Free plugin for WordPress versions up to, and including, 3.7.3.2 Description: The issue is related to arbitrary file deletion due to the plugin not properly validating a file or its path prior to deletion. This is made possible vi...

CVE-2023-5990 Funnelforms Free < 3.4.2 - Form Deletion/Duplication via CSRF

The Interactive Contact Form and Multi Step Form Builder with Drag & Drop Editor WordPress plugin before 3.4.2 does not have CSRF checks on some of its form actions such as deletion and duplication, which could allow attackers to make logged in admin perform such actions via CSRF attacks...

Funnelforms Free < 3.4.2 - Missing Authorization to Arbitrary Post Deletion

Description The Funnelforms Free plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the fnsfdeleteposts function in versions up to, and including, 3.4. This makes it possible for authenticated attackers, with subscriber-level permissions a...