CVE-2024-4620
Published: 07 June 2024
Summary
CVE-2024-4620 is a critical-severity an unspecified weakness vulnerability in Reputeinfosystems Arforms. Its CVSS base score is 9.8 (Critical).
Operationally, ranked in the top 1.2% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
Deeper analysis
The vulnerability CVE-2024-4620 affects the ARForms Premium WordPress Form Builder Plugin for WordPress versions prior to 6.6. It stems from insufficient validation on file uploads, allowing modification of uploaded files to include PHP code when a form contains a file upload input field.
Unauthenticated attackers can exploit the flaw remotely over the network without user interaction. Successful exploitation grants the ability to upload and execute arbitrary PHP code, resulting in full compromise of confidentiality, integrity, and availability on the affected site, consistent with its CVSS 9.8 rating.
References from WPScan identify the affected plugin versions and confirm the issue is resolved by updating to version 6.6 or later. The EPSS score has remained at a peak of 0.7242 with no material increase observed since disclosure.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2024-44228
Vulnerability details
The ARForms - Premium WordPress Form Builder Plugin WordPress plugin before 6.6 allows unauthenticated users to modify uploaded files in such a way that PHP code can be uploaded when an upload file input is included on a form
- CWE(s)
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
No mitigating controls mapped yet. The per-CVE control annotator has not reached this CVE.