cbcvebase.
CVE-2023-6133
published 2023-11-15

CVE-2023-6133: The Forminator plugin for WordPress is vulnerable to arbitrary file uploads due to insufficient blacklisting on the 'forminator_allowed_mime_types' function in…

PriorityP426medium4.9CVSS 3.1
AVNACLPRHUINSUCNIHAN
EPSS
0.87%
54.1th percentile
The Forminator plugin for WordPress is vulnerable to arbitrary file uploads due to insufficient blacklisting on the 'forminator_allowed_mime_types' function in versions up to, and including, 1.27.0. This makes it possible for authenticated attackers with administrator-level capabilities or above to upload arbitrary files on the affected site's server, but due to the htaccess configuration, remote code cannot be executed.

Affected

1 ranges
VendorProductVersion rangeFixed in
incsubforminator<= 1.27.0
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.