8.8
CVE-2021-24224
- EPSS 1.91%
- Veröffentlicht 12.04.2021 14:15:15
- Zuletzt bearbeitet 21.11.2024 05:52:37
- Quelle contact@wpscan.com
- CVE-Watchlists
- Unerledigt
LoginEasy Form Builder <= 1.0 - Authenticated Arbitrary File Upload
Easy Form Builder <= 1.0 - Arbitrary File Upload
The EFBP_verify_upload_file AJAX action of the Easy Form Builder WordPress plugin through 1.0, available to authenticated users, does not have any security in place to verify uploaded files, allowing low privilege users to upload arbitrary files, leading to RCE.
Mögliche Gegenmaßnahme
Easy Form Builder: No known patch available. Please review the vulnerability's details in depth and employ mitigations based on your organization's risk tolerance. It may be best to uninstall the affected software and find a replacement.
Daten sind bereitgestellt durch National Vulnerability Database (NVD)
Easy-form-builder-by-bitware Project ≫ Easy-form-builder-by-bitware SwPlatformwordpress Version <= 1.0
Weitere Schwachstelleninformationen
SystemWordPress Plugin
≫
Produkt
Easy Form Builder
Version
*-1.0
| Typ | Quelle | Score | Percentile |
|---|---|---|---|
| EPSS | FIRST.org | 1.91% | 0.771 |
| Quelle | Base Score | Exploit Score | Impact Score | Vector String |
|---|---|---|---|---|
| nvd@nist.gov | 8.8 | 2.8 | 5.9 |
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
|
| nvd@nist.gov | 6.5 | 8 | 6.4 |
AV:N/AC:L/Au:S/C:P/I:P/A:P
|
CWE-434 Unrestricted Upload of File with Dangerous Type
The product allows the upload or transfer of dangerous file types that are automatically processed within its environment.
https://github.com/jinhuang1102/CVE-ID-Reports/blob/e4c33529b20fa70e3a764ff9b1125839fb9900b5/Easy%20Form%20Builder.md
https://wpscan.com/vulnerability/ed0c054b-54bf-4df8-9015-c76704c93484
https://www.wordfence.com/threat-intel/vulnerabilities/id/1af5f7be-cfe2-4e0b-ae84-e44095644d84