WordPress Plugin Vulnerabilities

Formidable Forms Pro < 1.06.03 - Arbitrary File Upload via ofc_upload_image.php

Description

The plugin was using a vulnerable library, Open Flash Cart, which lead to an arbitrary file upload issue via the pro/js/ofc-library/ofc_upload_image.php file

Affects Plugins

Plugin icon
formidable
Fixed in 1.06.03

References

CVE
CVE-2009-4140
Exploitdb
10532
URL
exploit/unix/webapp/open_flash_chart_upload_exec
URL
https://packetstormsecurity.com/files/#126583/

Classification

Type
RCE
OWASP top 10
A1: Injection
CWE
CWE-94
CVSS
10.0 (critical)

Miscellaneous

Verified
Yes
WPVDB ID
25f357e7-4bc9-4e5b-8d29-8b9718bb33fb

Timeline

Publicly Published
2014-05-11 (about 12 years ago)
Added
2014-08-01 (about 11 years ago)
Last Updated
2021-03-29 (about 5 years ago)

Other

Published
Title
Published
2024-11-15
Title
Event Tickets with Ticket Scanner < 2.3.12 - Authenticated (Author+) Remote Code Execution
Published
2025-04-25
Title
Add custom page template <= 2.0.1 - Authenticated (Administrator+) PHP Code Injection to Remote Code Execution
Published
2025-11-10
Title
Holiday class post calendar < 7.2 - Unauthenticated Remote Code Execution via 'contents'
Published
2025-02-24
Title
Fresh Framework <= 1.70.0 - Unauthenticated Remote Code Execution
Published
2022-03-22
Title
Woo Product Table < 3.1.2 - Unauthenticated Arbitrary Function Call