WordPress Plugin Vulnerabilities

Piotnet Forms < 1.0.29 - Unauthenticated Arbitrary File Upload

Description

The Piotnet Forms plugin for WordPress is vulnerable to arbitrary file uploads due to insufficient file type validation in the 'piotnetforms_ajax_form_builder' function in versions up to, and including, 1.0.28. This makes it possible for unauthenticated attackers to upload arbitrary files on the affected site's server which may make remote code execution possible.

Affects Plugins

Plugin icon
piotnetforms
No known fix

References

CVE
CVE-2023-6220
URL
https://www.wordfence.com/threat-intel/vulnerabilities/id/af2b7eac-a3f5-408f-b139-643e70b3f27a

Miscellaneous

Original Researcher
István Márton
Verified
No
WPVDB ID
98b06a0c-3ba9-4220-a976-46a85831f0a4

Timeline

Publicly Published
2023-12-04 (about 2 years ago)
Added
2023-12-08 (about 2 years ago)
Last Updated
2024-02-23 (about 2 years ago)

Other

Published
Title
Published
2014-08-01
Title
Image News Slider - Arbitrary File Upload
Published
2024-04-05
Title
Import XML and RSS Feeds < 2.1.6 - Authenticated (Administrator+) Arbitrary File Upload
Published
2024-08-05
Title
Blox Page Builder <= 1.0.65 - Authenticated (Contributor+) Arbitrary File Upload
Published
2022-11-28
Title
JobBoardWP < 1.2.2 - Unauthenticated Arbitrary File Upload
Published
2026-05-04
Title
Betheme < 28.4.1 - Authenticated (Author+) Arbitrary File Upload to Remote Code Execution via Icon Pack Upload