WordPress ArForms Premium plugin < 6.6 - Unauthenticated RCE vulnerability

Unauthenticated RCE vulnerability discovered by mgthuramoemyint in WordPress Plugin ARForms versions 6.6...

CVE-2024-4621

The ARForms - Premium WordPress Form Builder Plugin WordPress plugin before 6.6 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example ...

CVE-2024-4620

The ARForms - Premium WordPress Form Builder Plugin WordPress plugin before 6.6 allows unauthenticated users to modify uploaded files in such a way that PHP code can be uploaded when an upload file input is included on a form...

CVE-2024-4621

The ARForms - Premium WordPress Form Builder Plugin WordPress plugin before 6.6 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example ...

CVE-2024-4620

CVE-2024-4620 concerns ARForms – Premium WordPress Form Builder Plugin. The vulnerability affects versions prior to 6.6 and allows unauthenticated users to modify uploaded files in a form so that PHP code can be uploaded, enabling remote code execution on affected WordPress servers. The CVSS v3.1...

CVE-2024-4621 ArForms < 6.6 - Admin+ Stored XSS

The ARForms - Premium WordPress Form Builder Plugin WordPress plugin before 6.6 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example ...

CVE-2024-4621

CVE-2024-4621 affects ARForms – Premium WordPress Form Builder Plugin prior to version 6.6. The issue is a Stored XSS vulnerability caused by insufficient sanitisation/escaping of certain plugin settings, potentially allowing high-privilege users (e.g., admins) to inject scripts even when unfilte...

CVE-2024-4620 ArForms < 6.6 - Unauthenticated RCE

The ARForms - Premium WordPress Form Builder Plugin WordPress plugin before 6.6 allows unauthenticated users to modify uploaded files in such a way that PHP code can be uploaded when an upload file input is included on a form...

CVE-2024-4620 ArForms < 6.6 - Unauthenticated RCE

The ARForms - Premium WordPress Form Builder Plugin WordPress plugin before 6.6 allows unauthenticated users to modify uploaded files in such a way that PHP code can be uploaded when an upload file input is included on a form...

CVE-2024-4621 ArForms < 6.6 - Admin+ Stored XSS

The ARForms - Premium WordPress Form Builder Plugin WordPress plugin before 6.6 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example ...

PT-2024-31921 · WordPress · Arforms

Name of the Vulnerable Software and Affected Versions: ARForms - Premium WordPress Form Builder Plugin version prior to 6.6 Description: The issue allows high privilege users, such as admins, to perform Stored Cross-Site Scripting attacks. This is possible because some settings are not properly...

WordPress ARForms Plugin < 6.6 is vulnerable to Remote Code Execution (RCE)

Software ARForms Type Plugin Vulnerable versions 6.6 Fixed in 6.6 OWASP Top 10 A1: Injection Classification Remote Code Execution RCE CVE CVE-2024-4620 Patch priority High CVSS severity High 10 Developer Claim ownership PSID eba026d169e8 Credits mgthuramoemyint Required privilege Unauthenticated...

WordPress ARForms Plugin < 6.6 is vulnerable to Cross Site Scripting (XSS)

Software ARForms Type Plugin Vulnerable versions 6.6 Fixed in 6.6 OWASP Top 10 A7: Cross-Site Scripting XSS Classification Cross Site Scripting XSS CVE CVE-2024-4621 Patch priority Low CVSS severity Low 5.9 Developer Claim ownership PSID 54c970f6100c Credits Bob Matyas Required privilege...

WordPress plugin ARForms security vulnerability

WordPress and WordPress plugin are both products of the WordPress Foundation.WordPress is a set of blogging platforms developed using the PHP language. The platform supports setting up personal blog sites on servers with PHP and MySQL.WordPress plugin is an application plugin. A security...

VulnCheck KEV: CVE-2024-4620

The ARForms - Premium WordPress Form Builder Plugin WordPress plugin before 6.6 allows unauthenticated users to modify uploaded files in such a way that PHP code can be uploaded when an upload file input is included on a form...

WordPress plugin ARForms security vulnerability

WordPress and WordPress plugin are both products of the WordPress Foundation.WordPress is a set of blogging platforms developed using the PHP language. The platform supports setting up personal blog sites on servers with PHP and MySQL.WordPress plugin is an application plugin. A security...

PT-2024-31920

Name of the Vulnerable Software and Affected Versions ARForms - Premium WordPress Form Builder Plugin versions prior to 6.6 Description The issue allows unauthenticated users to modify uploaded files, enabling the upload of PHP code when an upload file input is included on a form. Recommendations...

Arforms < 6.4.1 - Reflected XSS

Description The plugin does not properly escape user-controlled input when it is reflected in some of its AJAX actions. https://www.example.com/wp-admin/admin-ajax.php?action=currentmodal&positionmodal=alertdocument.domain...

Arforms < 6.4.1 - Reflected XSS

Description The plugin does not properly escape user-controlled input when it is reflected in some of its AJAX actions. PoC https://www.example.com/wp-admin/admin-ajax.php?action=currentmodalmodal=...

ArForms < 6.6 - Unauthenticated RCE

Description The plugin allows unauthenticated users to modify uploaded files in such a way that PHP code can be uploaded when an upload file input is included on a form 1. Create a form with an upload input 2. As an unauthenticated user, upload an image file and intercept the request. 3. Modify i...