WordPress Plugin Vulnerabilities

Contact Form Entries < 1.3.3 - Admin+ Arbitrary File Upload

Description

The plugin is vulnerable to arbitrary file uploads due to insufficient file validation on the 'view_page' function, allowing authenticated attackers with administrator-level capabilities or above, to upload arbitrary files on the affected site's server which may make remote code execution possible.

Affects Plugins

Plugin icon
contact-form-entries
Fixed in 1.3.3

References

CVE
CVE-2024-1069
URL
https://www.wordfence.com/threat-intel/vulnerabilities/id/120313be-9f98-4448-9f5d-a77186a6ff08

Miscellaneous

Original Researcher
István Márton
Verified
No
WPVDB ID
79ba08b3-6944-4544-9a8f-de747c837a83

Timeline

Publicly Published
2024-01-30 (about 2 years ago)
Added
2024-01-31 (about 2 years ago)
Last Updated
2024-01-31 (about 2 years ago)

Other

Published
Title
Published
2015-03-07
Title
WooThemes Daily Edition <= 1.6.2 - Unrestricted File Upload
Published
2014-08-01
Title
appius - Custom Background Shell Upload
Published
2015-04-09
Title
Windows Desktop And iPhone Photo Uploader <= 1.8 - File Upload
Published
2025-07-23
Title
WPBookit < 1.0.7 - Unauthenticated Arbitrary File Upload via image_upload_handle Function
Published
2025-05-21
Title
MapSVG - All Kinds of Maps and Store Locator for WordPress <= 8.6.4 - Authenticated (Contributor+) Stored Cross-Site Scripting