WordPress Plugin Vulnerabilities

Hash Form - Drag & Drop Form Builder < 1.2.0 - Unauthenticated Limited File Upload

Description

The Hash Form – Drag & Drop Form Builder plugin for WordPress is vulnerable to limited file uploads due to a misconfigured file type validation in the 'handleUpload' function in all versions up to, and including, 1.1.9. This makes it possible for unauthenticated attackers to upload files that are excluded from both the 'allowedExtensions' and 'unallowed_extensions' arrays on the affected site's server, including files that may contain cross-site scripting.

Affects Plugins

Plugin icon
hash-form
Fixed in 1.2.0

References

CVE
CVE-2024-9417
URL
https://www.wordfence.com/threat-intel/vulnerabilities/id/cad7731a-1f81-4055-9b49-15b35edd3fcf

Miscellaneous

Original Researcher
Rein Daelman (trein)
Verified
No
WPVDB ID
f0b147ba-13f5-46f6-bdc3-5af00c843d8a

Timeline

Publicly Published
2024-10-04 (about 1 year ago)
Added
2024-10-04 (about 1 year ago)
Last Updated
2024-10-05 (about 1 year ago)

Other

Published
Title
Published
2014-08-01
Title
Amerisale-Re - Remote Shell Upload
Published
2024-11-13
Title
Writer Helper <= 3.1.6 - Authenticated (Subscriber+) Arbitrary File Upload
Published
2014-11-30
Title
WordPress Slider Revolution Shell Upload
Published
2026-04-23
Title
Drag and Drop File Upload for Contact Form 7 < 1.1.4 - Unauthenticated Arbitrary File Upload via sanitize_file_name Bypass
Published
2014-08-01
Title
WP Marketplace 1.2.1 - File Enumeration Weakness & File Upload Vulnerabilities