CVE-2024-5084
published 2024-05-23CVE-2024-5084: The Hash Form – Drag & Drop Form Builder plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the…
PriorityP183critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EXPLOIT
EPSS
50.93%
98.8th percentile
The Hash Form – Drag & Drop Form Builder plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the 'file_upload_action' function in all versions up to, and including, 1.1.0. This makes it possible for unauthenticated attackers to upload arbitrary files on the affected site's server which may make remote code execution possible.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| hashthemes | hash_form | < 1.1.1 | 1.1.1 |
| hashthemes | hash_form_drag_drop_form_builder | <= 1.1.0 | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Detect unauthenticated POST requests to admin-ajax.php with the 'hashform_file_upload_action' action parameter, which is the vulnerable upload endpoint requiring no authentication. ↗
- →Monitor for file creation under /wp-content/uploads/hashform/temp/ — uploaded payloads (including PHP webshells) are staged here and directly accessible via HTTP. ↗
- →A successful exploit response contains the JSON fields 'success', 'true', and 'url' with HTTP 200; subsequent GET to the uploaded file path returning the uploaded content confirms RCE-ready file write. ↗
- →Extract the nonce value from the WordPress page source using the pattern '"ajax_nounce":"([0-9a-z]+)","preview_img' — attackers harvest this nonce from an unauthenticated GET to the home page before uploading. ↗
- →The vulnerability resides in the 'file_upload_action' function with no file type validation; alert on any non-image/non-document file extension (e.g., .php, .phtml, .php5) uploaded to the hashform temp directory. ↗
- ·The plugin is only vulnerable in versions up to and including 1.1.0; confirm installed plugin version before triaging alerts. ↗
- ·The Metasploit module notes that payload delivery and execution adapt based on the server environment (e.g., Linux vs. Windows), so the uploaded filename/extension may vary across exploitation attempts. ↗
- ·The nonce ('ajax_nounce') is harvested unauthenticated from the WordPress front page, meaning no login is required at any stage of exploitation — WAF rules should not rely on authenticated session checks to block this attack. ↗
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
vendor_redhat5.5MEDIUM
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-rgr9-6xwp-v98f: The Hash Form – Drag & Drop Form Builder plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the 'file
ghsa_unreviewed·2024-05-23
CVE-2024-5084 [CRITICAL] CWE-434 GHSA-rgr9-6xwp-v98f: The Hash Form – Drag & Drop Form Builder plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the 'file
The Hash Form – Drag & Drop Form Builder plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the 'file_upload_action' function in all versions up to, and including, 1.1.0. This makes it possible for unauthenticated attackers to upload arbitrary files on the affected site's server which may make remote code execution possible.
Red Hat
kernel: HID: core: remove unnecessary WARN_ON() in implement()
vendor_redhat·2024-07-12·CVSS 5.5
CVE-2024-39509 [MEDIUM] kernel: HID: core: remove unnecessary WARN_ON() in implement()
kernel: HID: core: remove unnecessary WARN_ON() in implement()
In the Linux kernel, the following vulnerability has been resolved:
HID: core: remove unnecessary WARN_ON() in implement()
Syzkaller hit a warning [1] in a call to implement() when trying
to write a value into a field of smaller size in an output report.
Since implement() already has a warn message printed out with the
help of hid_warn() and value in question gets trimmed with:
...
value &= m;
...
WARN_ON may be considered superfluous. Remove it to suppress future
syzkaller triggers.
[1]
WARNING: CPU: 0 PID: 5084 at drivers/hid/hid-core.c:1451 implement drivers/hid/hid-core.c:1451 [inline]
WARNING: CPU: 0 PID: 5084 at drivers/hid/hid-core.c:1451 hid_output_report+0x548/0x760 drivers/hid/hid-core.c:1863
Modules linked in:
CPU:
No detection rules found.
Metasploit
WordPress Hash Form Plugin RCE
metasploit
WordPress Hash Form Plugin RCE
WordPress Hash Form Plugin RCE
The Hash Form - Drag & Drop Form Builder plugin for WordPress suffers from a critical vulnerability due to missing file type validation in the file_upload_action function. This vulnerability exists in all versions up to and including 1.1.0. Unauthenticated attackers can exploit this flaw to upload arbitrary files, including PHP scripts, to the server, potentially allowing for remote code execution on the affected WordPress site. This module targets multiple platforms by adapting payload delivery and execution based on the server environment.
Nuclei
Hash Form <= 1.1.0 - Arbitrary File Upload
nuclei·CVSS 9.8
CVE-2024-5084 [CRITICAL] Hash Form <= 1.1.0 - Arbitrary File Upload
Hash Form <= 1.1.0 - Arbitrary File Upload
The Hash Form Drag & Drop Form Builder plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the 'file_upload_action' function in all versions up to, and including, 1.1.0. This makes it possible for unauthenticated attackers to upload arbitrary files on the affected site's server which may make remote code execution possible.
Template:
id: CVE-2024-5084
info:
name: Hash Form <= 1.1.0 - Arbitrary File Upload
author: s4e-io
severity: critical
description: |
The Hash Form Drag & Drop Form Builder plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the 'file_upload_action' function in all versions up to, and including, 1.1.0. This makes it possible for un
https://plugins.trac.wordpress.org/browser/hash-form/trunk/admin/classes/HashFormBuilder.php#L764https://plugins.trac.wordpress.org/changeset/3090341/https://www.wordfence.com/threat-intel/vulnerabilities/id/eef9e2fa-d8f0-42bf-95ac-ee4cafff0b14?source=cvehttps://plugins.trac.wordpress.org/browser/hash-form/trunk/admin/classes/HashFormBuilder.php#L764https://plugins.trac.wordpress.org/changeset/3090341/https://www.wordfence.com/threat-intel/vulnerabilities/id/eef9e2fa-d8f0-42bf-95ac-ee4cafff0b14?source=cve
2024-05-23
Published