Vulnerability Monitor

The vendors, products, and vulnerabilities you care about

CVE-2023-4596

The Forminator plugin for WordPress is vulnerable to arbitrary file uploads due to file type validation occurring after a file has been uploaded to the server in the upload_post_image() function in versions up to, and including, 1.24.6. This makes it possible for unauthenticated attackers to upload arbitrary files on the affected site's server which may make remote code execution possible.

Published

2023-08-30T02:15:09.353

Last Modified

2024-11-21T08:35:30.643

Status

Modified

Source

[email protected]

Severity

CVSSv3.1: 9.8 (CRITICAL)

Weaknesses

Affected Vendors & Products

Type	Vendor	Product	Version/Range	Vulnerable?
Application	incsub	forminator	≤ 1.24.6	Yes

References

https://plugins.trac.wordpress.org/changeset/2954409/forminator/trunk/library/fields/postdata.php Patch ([email protected])
https://www.exploit-db.com/exploits/51664 Exploit, Third Party Advisory, VDB Entry ([email protected])
https://www.wordfence.com/threat-intel/vulnerabilities/id/9cd87da6-1f4c-4a15-8ebb-6e0f8ef72513?source=cve Third Party Advisory ([email protected])
https://plugins.trac.wordpress.org/changeset/2954409/forminator/trunk/library/fields/postdata.php Patch (af854a3a-2127-422b-91ae-364da2661108)
https://www.exploit-db.com/exploits/51664 Exploit, Third Party Advisory, VDB Entry (af854a3a-2127-422b-91ae-364da2661108)
https://www.wordfence.com/threat-intel/vulnerabilities/id/9cd87da6-1f4c-4a15-8ebb-6e0f8ef72513?source=cve Third Party Advisory (af854a3a-2127-422b-91ae-364da2661108)