CVE-2024-7775

EPSS 0.25%
Veröffentlicht 20.08.2024 04:15:10
Zuletzt bearbeitet 26.08.2024 18:18:22
Quelle security@wordfence.com
CVE-Watchlists
Login
Unerledigt
Login

Contact Form by Bit Form: Multi Step Form, Calculation Contact Form, Payment Contact Form & Custom Contact Form builder 2.0 - 2.13.9 - Authenticated (Administrator+) Arbitrary JavaScript File Uploads

The Contact Form by Bit Form: Multi Step Form, Calculation Contact Form, Payment Contact Form & Custom Contact Form builder plugin for WordPress is vulnerable to arbitrary JavaScript file uploads due to missing input validation in the addCustomCode function in versions 2.0 to 2.13.9. This makes it possible for authenticated attackers, with Administrator-level access and above, to upload arbitrary JavaScript files to the affected site's server.

Mögliche Gegenmaßnahme

Bit Form – Custom Contact Form, Multi Step, Conversational Form & Payment Form builder: Update to version 2.13.10, or a newer patched version

Betroffene Produkte Warnungen 0 Metriken 3 CWE 1 Referenzen 6

Weitere Schwachstelleninformationen

SystemWordPress Plugin

≫

Produkt Bit Form – Custom Contact Form, Multi Step, Conversational Form & Payment Form builder

Version 2.0-2.13.9

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

Bitapps ≫ Contact Form Builder SwPlatformwordpress Version >= 2.0.0 < 2.13.10

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	0.25%	0.476

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
nvd@nist.gov	4.8	1.7	2.7	CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N
security@wordfence.com	5.5	2.3	2.7	CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:L/I:L/A:N

CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.

https://plugins.trac.wordpress.org/browser/bit-form/tags/2.13.6/includes/Admin/AdminAjax.php#L1314

Patch

https://www.wordfence.com/threat-intel/vulnerabilities/id/3936d7dc-840e-41fc-8af4-db40c0cff660?source=cve

Third Party Advisory

https://www.wordfence.com/threat-intel/vulnerabilities/id/3936d7dc-840e-41fc-8af4-db40c0cff660

Third Party Advisory

https://nvd.nist.gov/vuln/detail/CVE-2024-7775

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2024-7775

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2024-7775

EUVD

Team-orientierte Vulnerability Management Plattform

Features der Plattform

CVE-2024-7775