WordPress Plugin Vulnerabilities

Conversational Forms for ChatBot < 1.2.0 - Unauthenticated Arbitrary File Download

Description

The ChatBot Conversational Forms plugin for WordPress is vulnerable to Arbitrary File Download in all versions up to, and including, 1.1.8. This makes it possible for unauthenticated attackers to download arbitrary files from the server which may contain sensitive information.

Affects Plugins

Plugin icon
conversational-forms
Fixed in 1.2.0

References

CVE
CVE-2024-32729
URL
https://www.wordfence.com/threat-intel/vulnerabilities/id/54db4d53-7c4f-47d9-811d-8282eaf2d074

Classification

Type
LFI
OWASP top 10
A1: Injection
CWE
CWE-22
CVSS
7.5 (high)

Miscellaneous

Original Researcher
beluga
Verified
No
WPVDB ID
ff7077ac-380f-45af-bfdc-f04498fa6121

Timeline

Publicly Published
2024-04-22 (about 2 years ago)
Added
2024-04-29 (about 2 years ago)
Last Updated
2024-04-29 (about 2 years ago)

Other

Published
Title
Published
2024-03-15
Title
Backuply – Backup, Restore, Migrate and Clone < 1.2.8 - Admin+ Directory Traversal
Published
2026-04-20
Title
Everest Forms < 3.4.5 - Unauthenticated Arbitrary File Read and Deletion via Upload Field 'old_files' Parameter
Published
2024-04-05
Title
Media Library Folders < 8.1.9 - Authenticated (Author+) Directory Traversal
Published
2014-08-01
Title
Plugin Newsletter 1.5 - Remote File Disclosure
Published
2023-10-19
Title
Ultimate Addons for WPBakery Page Builder < 3.19.15 - Authenticated(Contributor+) Local File Inclusion