WordPress Plugin Vulnerabilities

All Post Contact Form <= 1.8.2 - Unauthenticated Arbitrary File Upload

Description

The plugin is vulnerable to arbitrary file uploads due to missing file type validation. This makes it possible for unauthenticated attackers to upload arbitrary files on the affected site's server which may make remote code execution possible.

Affects Plugins

Plugin icon
allpost-contactform
No known fix

References

CVE
CVE-2024-50523
URL
https://patchstack.com/database/wordpress/plugin/allpost-contactform/vulnerability/wordpress-all-post-contact-form-plugin-1-6-7-arbitrary-file-upload-vulnerability

Miscellaneous

Original Researcher
stealthcopter
Verified
No
WPVDB ID
e4d8303c-b76e-49ef-bf7f-7d8565c19aa6

Timeline

Publicly Published
2024-10-30 (about 1 year ago)
Added
2024-11-06 (about 1 year ago)
Last Updated
2025-06-03 (about 11 months ago)

Other

Published
Title
Published
2024-08-21
Title
AcyMailing < 9.8.0 - Authenticated (Subscriber+) Arbitrary File Upload via acym_extractArchive Function
Published
2025-07-30
Title
AI Engine 2.9.3 - 2.9.4 - Subscriber+ Arbitrary File Upload
Published
2022-11-21
Title
Booking Calendar < 3.2.2 - Unauthenticated Arbitrary File Upload
Published
2013-11-30
Title
Phototouch < 1.2.2 - Arbitrary File Upload via themify-ajax.php
Published
2026-02-03
Title
WP FOFT Loader < 2.1.40 - Authenticated (Author+) Arbitrary File Upload