WordPress Plugin Vulnerabilities

Multi Step Form < 1.7.24 - Missing Authorization to Unauthenticated Limited File Upload

Description

The Multi Step Form plugin for WordPress is vulnerable to unauthorized limited file upload due to a missing capability check on the fw_upload_file AJAX action in all versions up to, and including, 1.7.23. This makes it possible for unauthenticated attackers to upload limited file types such as images.

Affects Plugins

Plugin icon
multi-step-form
Fixed in 1.7.24

References

CVE
CVE-2024-12427
URL
https://www.wordfence.com/threat-intel/vulnerabilities/id/f0a31fee-ccc2-4c3b-b198-6cb750188113

Classification

Type
NO AUTHORISATION
OWASP top 10
A5: Broken Access Control
CWE
CWE-862
CVSS
5.3 (medium)

Miscellaneous

Original Researcher
Ryan Zegar
Verified
No
WPVDB ID
2da59976-5e68-430b-b8ca-a292e6cd8f64

Timeline

Publicly Published
2025-01-15 (about 1 year ago)
Added
2025-01-15 (about 1 year ago)
Last Updated
2025-01-16 (about 1 year ago)

Other

Published
Title
Published
2026-01-29
Title
Travelpayouts <= 1.2.1 - Missing Authorization
Published
2024-04-05
Title
All-in-One Video Gallery < 3.6.0 - Missing Authorization
Published
2024-12-13
Title
WP Job Portal < 2.2.3 - Missing Authorization to Limited Privilege Escalation
Published
2024-03-28
Title
MP3 Audio Player for Music, Radio & Podcast by Sonaar < 5.1.1 - Missing Authorization
Published
2026-01-18
Title
Sober <= 3.5.12 - Missing Authorization