CVE-2024-5084 Scanner
CVE-2024-5084 scanner - Arbitrary File Upload vulnerability in Hash Form Drag & Drop Form Builder plugin for WordPress
Short Info
Level
Critical
Single Scan
Single Scan
Can be used by
Asset Owner
Estimated Time
10 seconds
Time Interval
29 days
Scan only one
Domain, IPv4, Subdomain
Toolbox
-
Hash Form Drag & Drop Form Builder plugin for WordPress is a widely used tool for creating customizable forms on WordPress websites. It is utilized by website administrators and developers to enable drag-and-drop form creation without needing extensive coding knowledge. This plugin is popular due to its ease of use and flexibility. However, it is critical that users keep it updated to avoid potential vulnerabilities. The plugin is used across various industries for managing form submissions and user interactions on WordPress sites.
The Hash Form Drag & Drop Form Builder plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the 'file_upload_action' function in all versions up to, and including, 1.1.0. This allows unauthenticated attackers to upload arbitrary files to the server. Exploiting this vulnerability could lead to remote code execution. The issue is critical and needs immediate attention to mitigate risks.
The vulnerability lies in the 'file_upload_action' function of the Hash Form Drag & Drop Form Builder plugin, where there is a lack of proper file type validation. Attackers can exploit this by sending a specially crafted request to the server, allowing them to upload arbitrary files. This includes malicious scripts that could be executed on the server, potentially leading to full control over the affected website. The vulnerable endpoint is 'admin-ajax.php?action=hashform_file_upload_action' and the 'qqfile' parameter is the one being exploited.
If exploited, this vulnerability could allow attackers to upload and execute malicious files on the server, potentially leading to remote code execution. This could result in complete control over the affected WordPress site, data theft, defacement, and the use of the server for malicious activities such as distributing malware. The integrity, confidentiality, and availability of the website and its data could be severely compromised.
By using the S4E platform, you can proactively manage and mitigate cybersecurity threats to your digital assets. Our platform offers comprehensive vulnerability scanning, detailed reporting, and actionable remediation steps to ensure your systems are secure. Join us to benefit from our user-friendly interface, continuous monitoring, and expert support, helping you stay ahead of potential threats and protect your digital presence effectively.
References:
- https://nvd.nist.gov/vuln/detail/CVE-2024-5084
- https://www.wordfence.com/threat-intel/vulnerabilities/wordpress-plugins/hash-form/hash-form-drag-drop-form-builder-110-unauthenticated-arbitrary-file-upload-to-remote-code-execution
- https://github.com/WOOOOONG/CVE-2024-5084/blob/main/CVE-2024-5084_exploit.py
