cbcvebase.
CVE-2024-4620
published 2024-06-07

CVE-2024-4620: The ARForms - Premium WordPress Form Builder Plugin WordPress plugin before 6.6 allows unauthenticated users to modify uploaded files in such a way that PHP…

PriorityP182critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
3.35%
87.2th percentile
The ARForms - Premium WordPress Form Builder Plugin WordPress plugin before 6.6 allows unauthenticated users to modify uploaded files in such a way that PHP code can be uploaded when an upload file input is included on a form

Affected

1 ranges
VendorProductVersion rangeFixed in
reputeinfosystemsarforms< 6.66.6

Detection & IOCsextracted from sources · hover to see the quote

path/wp-content/uploads/arforms/userfiles/{{filename}}.php
url/wp-content/uploads/arforms/userfiles/
  • Detect successful PHP webshell upload by checking HTTP 200 response body containing the uploaded filename with .php extension in the pattern |<filename>.php|
  • Confirm remote code execution by issuing a GET request to the uploaded PHP file under /wp-content/uploads/arforms/userfiles/ and verifying the response body echoes back the base64-decoded marker value with HTTP 200
  • Monitor for unauthenticated multipart/form-data POST requests (WebKitFormBoundary) to ARForms upload endpoints that result in .php files being written to the arforms/userfiles directory
  • ·The vulnerability is exploitable only when an upload file input is included on an ARForms form; sites without file upload fields on any form are not directly exposed via this vector
  • ·Affected versions are ARForms Premium WordPress Form Builder Plugin before 6.6; ensure the installed version is confirmed before triaging alerts

CVSS provenance

nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
vulncheck9.8CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.