cbcvebase.
CVE-2024-5084
published 2024-05-23

CVE-2024-5084: The Hash Form – Drag & Drop Form Builder plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the…

PriorityP183critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EXPLOIT
EPSS
50.93%
98.8th percentile
The Hash Form – Drag & Drop Form Builder plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the 'file_upload_action' function in all versions up to, and including, 1.1.0. This makes it possible for unauthenticated attackers to upload arbitrary files on the affected site's server which may make remote code execution possible.

Affected

2 ranges
VendorProductVersion rangeFixed in
hashthemeshash_form< 1.1.11.1.1
hashthemeshash_form_drag_drop_form_builder<= 1.1.0

Detection & IOCsextracted from sources · hover to see the quote

url/wp-admin/admin-ajax.php?action=hashform_file_upload_action
path/wp-content/uploads/hashform/temp/
path/wp-content/plugins/hash-form/
otheraction=hashform_file_upload_action
  • Detect unauthenticated POST requests to admin-ajax.php with the 'hashform_file_upload_action' action parameter, which is the vulnerable upload endpoint requiring no authentication.
  • Monitor for file creation under /wp-content/uploads/hashform/temp/ — uploaded payloads (including PHP webshells) are staged here and directly accessible via HTTP.
  • A successful exploit response contains the JSON fields 'success', 'true', and 'url' with HTTP 200; subsequent GET to the uploaded file path returning the uploaded content confirms RCE-ready file write.
  • Extract the nonce value from the WordPress page source using the pattern '"ajax_nounce":"([0-9a-z]+)","preview_img' — attackers harvest this nonce from an unauthenticated GET to the home page before uploading.
  • The vulnerability resides in the 'file_upload_action' function with no file type validation; alert on any non-image/non-document file extension (e.g., .php, .phtml, .php5) uploaded to the hashform temp directory.
  • ·The plugin is only vulnerable in versions up to and including 1.1.0; confirm installed plugin version before triaging alerts.
  • ·The Metasploit module notes that payload delivery and execution adapt based on the server environment (e.g., Linux vs. Windows), so the uploaded filename/extension may vary across exploitation attempts.
  • ·The nonce ('ajax_nounce') is harvested unauthenticated from the WordPress front page, meaning no login is required at any stage of exploitation — WAF rules should not rely on authenticated session checks to block this attack.

CVSS provenance

nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
vendor_redhat5.5MEDIUM
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.