Vulnerability Description
The Multi Step Form plugin for WordPress is vulnerable to unauthorized limited file upload due to a missing capability check on the fw_upload_file AJAX action in all versions up to, and including, 1.7.23. This makes it possible for unauthenticated attackers to upload limited file types such as images.
CVSS Score
MEDIUM
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Mondula | Multi Step Form | < 1.7.24 |
Related Weaknesses (CWE)
References
- https://plugins.trac.wordpress.org/browser/multi-step-form/tags/1.7.22/includes/Product
- https://plugins.trac.wordpress.org/browser/multi-step-form/tags/1.7.22/includes/Product
- https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&oldPatch
- https://www.wordfence.com/threat-intel/vulnerabilities/id/f0a31fee-ccc2-4c3b-b19Third Party Advisory
FAQ
What is CVE-2024-12427?
CVE-2024-12427 is a vulnerability with a CVSS score of 5.3 (MEDIUM). The Multi Step Form plugin for WordPress is vulnerable to unauthorized limited file upload due to a missing capability check on the fw_upload_file AJAX action in all versions up to, and including, 1.7...
How severe is CVE-2024-12427?
CVE-2024-12427 has been rated MEDIUM with a CVSS base score of 5.3/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2024-12427?
Check the references section above for vendor advisories and patch information. Affected products include: Mondula Multi Step Form.