WordPress Plugin Vulnerabilities

Multi Step Form < 1.7.22 - Missing Authorization via fw_delete_files

Description

The Multi Step Form plugin for WordPress is vulnerable to unauthorized deletion of files due to a missing capability check on the fw_delete_files function in versions up to, and including, 1.7.21. This makes it possible for unauthenticated attackers to delete arbitrary attachments.

Affects Plugins

Plugin icon
multi-step-form
Fixed in 1.7.22

References

CVE
CVE-2024-50428
URL
https://www.wordfence.com/threat-intel/vulnerabilities/id/506da7ee-cf95-4fcb-90da-6363409917ab

Classification

Type
NO AUTHORISATION
OWASP top 10
A5: Broken Access Control
CWE
CWE-862
CVSS
5.3 (medium)

Miscellaneous

Original Researcher
ardias
Verified
No
WPVDB ID
d4111112-5973-4b4a-81f5-1a38e4d45652

Timeline

Publicly Published
2024-10-24 (about 1 year ago)
Added
2024-10-30 (about 1 year ago)
Last Updated
2024-10-30 (about 1 year ago)

Other

Published
Title
Published
2026-06-01
Title
Stripe Payment Forms by WP Full Pay – Accept Credit Card Payments, Donations & Subscriptions < 8.4.2 - Missing Authorization
Published
2026-01-05
Title
GetGenie < 4.3.1 - Missing Authorization
Published
2025-11-20
Title
Cryptocurrency (Token), Launchpad (Presale), ICO & IDO, Airdrop by TokenICO <= 2.4.6 - Unauthenticated Presale Counter Update
Published
2025-10-05
Title
Nelio Content < 4.0.6 - Missing Authorization
Published
2024-06-05
Title
WP-Recall – Registration, Profile, Commerce & More < 16.26.7 - Unauthenticated Payment Deletion via delete_payment