Cyber Resilience

CVE-2024-6312

Medium

Published: 28 August 2024

Published
28 August 2024
Modified
08 April 2026
KEV Added
Patch
CVSS Score v3.1 6.5 CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:H
EPSS Score 0.1278 94.2th percentile
Risk Priority 21 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2024-6312 is a medium-severity Path Traversal (CWE-22) vulnerability in Funnelforms Funnelforms Free. Its CVSS base score is 6.5 (Medium).

Operationally, ranked in the top 5.8% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

Deeper analysis

The Funnelforms Free plugin for WordPress is vulnerable to arbitrary file deletion in all versions up to and including 3.7.3.2. The issue exists in the af2DeleteFontFile function, which fails to validate file paths before performing deletion operations, corresponding to CWE-22 path traversal. This allows an attacker to target any file on the server filesystem accessible to the web server process.

Authenticated users with administrator privileges can invoke the vulnerable function to delete arbitrary files, including wp-config.php. Successful deletion of the configuration file can disable the site and enable site takeover, with the potential for remote code execution depending on server configuration and remaining files.

The referenced Wordfence advisory and WordPress plugin trac entries indicate that the flaw was addressed in version 3.7.4.1 by adding proper file and path validation. Site owners are advised to update the plugin promptly to the patched release.

EPSS scores for the vulnerability rose from lower values to a peak of 0.2573 on 2026-04-05 before receding to the current 0.1278, indicating that exploitation interest increased after public disclosure.

EU & UK References

Vulnerability details

The Funnelforms Free plugin for WordPress is vulnerable to arbitrary file deletion in all versions up to, and including, 3.7.3.2 via the 'af2DeleteFontFile' function. This is due to the plugin not properly validating a file or its path prior to…

more

deleting it. This makes it possible for authenticated attackers, with administrator-level access and above, to delete arbitrary files, including the wp-config.php file, which can make site takeover and remote code execution possible.

CWE(s)

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

funnelforms
funnelforms free
≤ 3.7.3.2

Mitigating Controls

Likely Mitigating Controls AI

Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.

addresses: CWE-22

Validates pathnames and filenames to prevent traversal outside intended directories.

References