ByteOS Network

NVD Vulnerability Details :

CVE-2024-9507

Awaiting Analysis

Source-security@wordfence.com

Published At-11 Oct, 2024 | 13:15

Updated At-15 Oct, 2024 | 12:58

The Contact Form by Bit Form: Multi Step Form, Calculation Contact Form, Payment Contact Form & Custom Contact Form builder plugin for WordPress is vulnerable to arbitrary file read in all versions up to, and including, 2.15.2 due to improper input validation within the iconUpload function. This makes it possible for authenticated attackers, with Administrator-level access and above, to leverage a PHP filter chain attack and read the contents of arbitrary files on the server, which can contain sensitive information.

Date Added	Due Date	Vulnerability Name	Required Action
	N/A

Metrics

Type	Version	Base score	Base severity	Vector
Secondary	3.1	4.9	MEDIUM	CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N

Type: Secondary

Version: 3.1

Base score: 4.9

Base severity: MEDIUM

Vector:

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N

Weaknesses

CWE ID	Type	Source
CWE-20	Primary	security@wordfence.com

CWE ID: CWE-20

Type: Primary

Source: security@wordfence.com

References

Hyperlink	Source	Resource
https://plugins.trac.wordpress.org/browser/bit-form/trunk/includes/Admin/AdminAjax.php#L1210	security@wordfence.com	N/A
https://plugins.trac.wordpress.org/changeset/3165686/	security@wordfence.com	N/A
https://plugins.trac.wordpress.org/changeset/3165686/bit-form/trunk/includes/Admin/AdminAjax.php	security@wordfence.com	N/A
https://wordpress.org/plugins/bit-form/#developers	security@wordfence.com	N/A
https://www.wordfence.com/threat-intel/vulnerabilities/id/aa46842f-ed07-4f72-aedb-aa27baecd79c?source=cve	security@wordfence.com	N/A