Contact Forms – Drag & Drop Contact Form Builder <= 1.0.5 – Admin+ Arbitrary System File Read | CVE 2021-24689 | Plugin Vulnerabilities

Description

The plugin allows high privilege users to download arbitrary files from the web server via a path traversal attack

Proof of Concept

1) Create a new form with a file upload field.
2) Upload a file to the form created.
3) View the submission in the "All submissions" page and click "Show"
3) Under "File Attachments" you should see the file you uploaded
4) Right-click on the file and copy the url
5) Now paste the url in a new window
6) Change the "&file=" content from the file you uploaded to "../../../../../../../../../../../etc/passwd"
7) The browser will be prompted to download the file.

Affects Plugins

No known fix

References

CVE

Classification

Type

TRAVERSAL

OWASP top 10

CWE

CVSS

Miscellaneous

Original Researcher

Davide Taraschi

Submitter

Davide Taraschi

Submitter website

https://davidet.altervista.org

Verified

Yes

WPVDB ID

31824250-e0d4-4285-97fa-9880b363e075

Timeline

Publicly Published

2021-09-27 (about 4 years ago)

Added

2022-01-26 (about 3 years ago)

Last Updated

2022-04-13 (about 3 years ago)

Other

Published

Title

Published

2025-09-03

Title

atec Debug < 1.2.23 - Admin+ Arbitrary File Deletion

Published

2023-05-16

Title

WP < 6.2.1 - Directory Traversal via Translation Files

Published

2021-07-05

Title

Haxcan <= 1.0.0 - Arbitrary File Access

Published

2024-11-25

Title

Product Input Fields for WooCommerce < 2.0 - Contributor+ Arbitrary File Read

Published

2023-12-08

Title

Import and export users and customers < 1.24.3 - Admin+ Arbitrary File Read/Deletion