ArForms < 6.6 - Unauthenticated RCE Description The plugin allows unauthenticated users to modify uploaded files in such a way that PHP code can be uploaded when an upload file input is included on a form. Proof of Concept 1. Create a form with an upload input 2. As an unauthenticated user, upload an image file and intercept the request. 3. Modify it like the following: Access the file (in the example above it is ) and see the PHP execute. Affects Plugins arforms: Fixed in 6.6 References CVE: CVE-2024-4620 Classification Type: RCE OWASP top 10: A1: Injection CWE: CWE-94 CVSS: 9.8 (critical) Miscellaneous Original Researcher: mgthuramoemyint Submitter: mgthuramoemyint Submitter twitter: mgthuramoemyint Verified: Yes WPVDB ID: dc34dc2d-d5a1-4e28-8507-33f659ead647 Timeline Publicly Published: 2024-05-17 Added: 2024-05-17 Last Updated: 2024-05-17