SB2025013135 - Missing Authorization in Multi Step Form plugin for WordPress
Published: January 31, 2025
Security Bulletin ID
SB2025013135
Severity
Low
Patch available
YES
Number of vulnerabilities
1
Exploitation vector
Remote access
Highest impact
Data manipulation
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 1 security vulnerability.
1) Missing Authorization (CVE-ID: CVE-2024-12427)
The vulnerability allows a remote attacker to bypass authorization checks.
The vulnerability exists due to a missing capability check on the fw_upload_file AJAX action. A remote attacker can upload limited file types such as images.
Remediation
Install update from vendor's website.
References
- https://plugins.trac.wordpress.org/browser/multi-step-form/tags/1.7.22/includes/lib/msf-shortcode.class.php#L100
- https://plugins.trac.wordpress.org/browser/multi-step-form/tags/1.7.22/includes/lib/msf-shortcode.class.php#L30
- https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3219723%40multi-step-form&new=3219723%40multi-step-form&sfp_email=&sfph_mail=
- https://www.wordfence.com/threat-intel/vulnerabilities/id/f0a31fee-ccc2-4c3b-b198-6cb750188113?source=cve