CVE-2024-4620
published 2024-06-07CVE-2024-4620: The ARForms - Premium WordPress Form Builder Plugin WordPress plugin before 6.6 allows unauthenticated users to modify uploaded files in such a way that PHP…
PriorityP182critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
3.35%
87.2th percentile
The ARForms - Premium WordPress Form Builder Plugin WordPress plugin before 6.6 allows unauthenticated users to modify uploaded files in such a way that PHP code can be uploaded when an upload file input is included on a form
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| reputeinfosystems | arforms | < 6.6 | 6.6 |
Detection & IOCsextracted from sources · hover to see the quote
path/wp-content/uploads/arforms/userfiles/{{filename}}.php
url/wp-content/uploads/arforms/userfiles/
- →Detect successful PHP webshell upload by checking HTTP 200 response body containing the uploaded filename with .php extension in the pattern |<filename>.php|
- →Confirm remote code execution by issuing a GET request to the uploaded PHP file under /wp-content/uploads/arforms/userfiles/ and verifying the response body echoes back the base64-decoded marker value with HTTP 200
- →Monitor for unauthenticated multipart/form-data POST requests (WebKitFormBoundary) to ARForms upload endpoints that result in .php files being written to the arforms/userfiles directory
- ·The vulnerability is exploitable only when an upload file input is included on an ARForms form; sites without file upload fields on any form are not directly exposed via this vector ↗
- ·Affected versions are ARForms Premium WordPress Form Builder Plugin before 6.6; ensure the installed version is confirmed before triaging alerts ↗
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
vulncheck9.8CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-3444-vgqg-w2gc: The ARForms - Premium WordPress Form Builder Plugin WordPress plugin before 6
ghsa_unreviewed·2024-06-07
CVE-2024-4620 [CRITICAL] GHSA-3444-vgqg-w2gc: The ARForms - Premium WordPress Form Builder Plugin WordPress plugin before 6
The ARForms - Premium WordPress Form Builder Plugin WordPress plugin before 6.6 allows unauthenticated users to modify uploaded files in such a way that PHP code can be uploaded when an upload file input is included on a form
VulnCheck
ARForms - Premium WordPress Form Builder Plugin for WordPress PHP Code Upload Vulnerability
vulncheck·2024·CVSS 9.8
CVE-2024-4620 [CRITICAL] ARForms - Premium WordPress Form Builder Plugin for WordPress PHP Code Upload Vulnerability
ARForms - Premium WordPress Form Builder Plugin for WordPress PHP Code Upload Vulnerability
The ARForms - Premium WordPress Form Builder Plugin WordPress plugin before 6.6 allows unauthenticated users to modify uploaded files in such a way that PHP code can be uploaded when an upload file input is included on a form.
Affected: ARForms ARForms - Premium WordPress Form Builder Plugin for WordPress
Required Action: Apply remediations or mitigations per vendor instructions or discontinue use of the product if remediation or mitigations are unavailable.
Exploitation References: https://patchstack.com/database/vulnerability/arforms/wordpress-arforms-premium-plugin-6-6-unauthenticated-rce-vulnerability
No detection rules found.
Nuclei
ArForms < 6.6 - Remote Code Execution
nuclei·CVSS 9.8
CVE-2024-4620 [CRITICAL] ArForms < 6.6 - Remote Code Execution
ArForms
------WebKitFormBoundary7y508xYQXqEUtnyQ--
matchers:
- type: dsl
dsl:
- 'contains(body, "|{{filename}}.php|")'
- 'status_code == 200'
condition: and
internal: true
- raw:
- |
GET /wp-content/uploads/arforms/userfiles/{{filename}}.php?input={{base64(marker)}} HTTP/1.1
Host: {{Hostname}}
matchers:
- type: dsl
dsl:
- 'contains((body), "{{marker}}")'
- 'status_code == 200'
condition: and
# digest: 4b0a00483046022100f03d352b6e18682b6e6ac59ccdbdb1200996d31f6a22e40164f7a2d4935b3bd6022100cfd7df38d17e33fa4e5dd4ad672a246e918b5132c1989c258f10762dcbf04521:922c64590222798bb761d5b6d8e72950
No writeups or analysis indexed.
2024-06-07
Published
Exploited in the wild