CVE-2024-7447

CVE-2024-7447 affects the Interactive Contact Form and Multi Step Form Builder with Drag & Drop Editor – Funnelforms Free (WordPress). The vulnerability is due to a missing capability check in fnsf_af2_handel_file_upload, affecting all versions up to 3.7.3.2. This allows unauthenticated attackers...

CVE-2023-5990

CVE-2023-5990 affects the WordPress plugin Interactive Contact Form and Multi Step Form Builder with Drag & Drop Editor (Funnelforms Free) prior to version 3.4.2. The issue is lack of CSRF protection on certain admin actions (e.g., deleting/duplicating forms), enabling an authenticated attacker t...

CVE-2024-5857

CVE-2024-5857 affects Interactive Contact Form and Multi Step Form Builder with Drag & Drop Editor – Funnelforms Free (WordPress). A missing capability check on the af2_handel_file_remove AJAX action in all versions up to 3.7.3.2 allows unauthenticated attackers to delete arbitrary media files. C...

CVE-2024-6311

CVE-2024-6311 affects Interactive Contact Form and Multi Step Form Builder with Drag & Drop Editor – Funnelforms Free (WordPress) prior to 3.7.3.2. Root cause: missing file type validation in af2_add_font enables an authenticated user with Administrator+ rights to upload arbitrary files to the se...

CVE-2024-6312

CVE-2024-6312 affects the Funnelforms Free WordPress plugin (up to version 3.7.3.2). The flaw is in af2DeleteFontFile where the plugin does not validate the target file/path before deletion, allowing unauthenticated attackers to delete arbitrary files (including wp-config.php), enabling site take...