ArForms < 6.6 - Unauthenticated RCE

Description The plugin allows unauthenticated users to modify uploaded files in such a way that PHP code can be uploaded when an upload file input is included on a form PoC 1. Create a form with an upload input 2. As an unauthenticated user, upload an image file and intercept the request. 3...

ArForms < 6.6 - Admin+ Stored XSS

Description The plugin does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup 1. Add or edit an existing form and in...

ArForms < 6.6 - Unauthenticated RCE

Description The plugin allows unauthenticated users to modify uploaded files in such a way that PHP code can be uploaded when an upload file input is included on a form 1. Create a form with an upload input 2. As an unauthenticated user, upload an image file and intercept the request. 3. Modify i...

CVE-2024-31270

Missing Authorization vulnerability in Repute InfoSystems ARForms Form Builder.This issue affects ARForms Form Builder: from n/a through 1.6.1...

CVE-2024-31270

Missing Authorization vulnerability in Repute InfoSystems ARForms Form Builder.This issue affects ARForms Form Builder: from n/a through 1.6.1...

CVE-2024-31270 WordPress ARForms Form Builder plugin <= 1.6.1 - Broken Access Control vulnerability

Missing Authorization vulnerability in Repute InfoSystems ARForms Form Builder.This issue affects ARForms Form Builder: from n/a through 1.6.1...

CVE-2024-31270 WordPress ARForms Form Builder plugin <= 1.6.1 - Broken Access Control vulnerability

Missing Authorization vulnerability in Repute InfoSystems ARForms Form Builder.This issue affects ARForms Form Builder: from n/a through 1.6.1...

WordPress plugin ARForms Form Builder 安全漏洞

WordPress and WordPress plugin are both products of the WordPress Foundation.WordPress is a blogging platform developed using the PHP language. The platform supports setting up personal blog sites on servers with PHP and MySQL.WordPress plugin is an application plugin. A security vulnerability...

PT-2024-23915 · Unknown · Arforms Form Builder

Name of the Vulnerable Software and Affected Versions: ARForms Form Builder versions 1.6.1 and earlier Description: The issue is related to a missing authorization vulnerability in ARForms Form Builder. This vulnerability may allow unauthorized access to sensitive data. Recommendations: Update to...

CVE-2024-1945

The Contact Form, Survey & Popup Form Plugin for WordPress – ARForms Form Builder plugin for WordPress is vulnerable to unauthorized loss of data due to a missing capability check on the 'arfliteremovepreviewdata' function in all versions up to, and including, 1.6.4. This makes it possible for...

CVE-2024-1945 ARForms Form Builder <= 1.6.4 - Missing Authorization to Authenticated(Subscriber+) Arbitrary Option Deletion

The Contact Form, Survey & Popup Form Plugin for WordPress – ARForms Form Builder plugin for WordPress is vulnerable to unauthorized loss of data due to a missing capability check on the 'arfliteremovepreviewdata' function in all versions up to, and including, 1.6.4. This makes it possible for...

CVE-2024-1945

CVE-2024-1945 affects ARForms Form Builder (WordPress). vulnerability: missing capability check in arflite_remove_preview_data allows authenticated users with subscriber+ to delete arbitrary site options, causing availability loss in all versions up to 1.6.4. No remediation details provided in th...

WordPress plugin ARForms Form Builder 安全漏洞

WordPress and WordPress plugin are both products of the WordPress Foundation.WordPress is a blogging platform developed using the PHP language. The platform supports setting up personal blog sites on servers with PHP and MySQL.WordPress plugin is an application plug-in. A security vulnerability...

PT-2024-18440 · WordPress · Arforms Form Builder

Name of the Vulnerable Software and Affected Versions: ARForms Form Builder plugin for WordPress versions up to, and including, 1.6.4 Description: The issue is related to a missing capability check on the arflite remove preview data function, allowing authenticated attackers with subscriber acces...

ARforms < 6.4.1 - Reflected Cross-Site Scripting

Description The ARforms plugin for WordPress is vulnerable to Reflected Cross-Site Scripting in all versions up to, and including, 6.4 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that...

ARForms < 6.4.1 - Missing Authorization to Arbitrary File Deletion

Description The ARforms plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on a function in all versions up to, and including, 6.4. This makes it possible for authenticated attackers, with subscriber-level access and above, to delete arbitrar...

ARForms < 6.4.1 - Missing Authorization to Arbitrary Option Deletion

Description The ARforms plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on a function in all versions up to, and including, 6.4. This makes it possible for authenticated attackers, with subscriber-level access and above, to delete arbitrar...

ARforms < 6.4.1 - Authenticated (Subscriber+) SQL Injection

Description The ARforms plugin for WordPress is vulnerable to SQL Injection via an unknown parameter in all versions up to, and including, 6.4 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for...

WordPress ARForms Form Builder plugin <= 1.6.4 - Missing Authorization to Authenticated(Subscriber+) Arbitrary Option Deletion vulnerability

Missing Authorization to AuthenticatedSubscriber+ Arbitrary Option Deletion vulnerability discovered by Lucio Sá in WordPress Plugin ARForms Form Builder versions = 1.6.4...

WordPress ARForms Form Builder Plugin <= 1.6.4 is vulnerable to Broken Access Control

Software ARForms Form Builder Type Plugin Vulnerable versions = 1.6.4 Fixed in 1.6.5 OWASP Top 10 A5: Broken Access Control Classification Broken Access Control CVE CVE-2024-1945 Patch priority Medium CVSS severity Medium 7.1 Developer Claim ownership PSID ea61cb9b5b99 Credits Lucio Sá Required...