What is CVE-2024-4620?

CVE-2024-4620 is tracked as a Remote Code Execution issue affecting the Plugin ARforms.

Which ARforms versions are affected?

The primary affected range is Versions up to 6.5.

How should operators remediate CVE-2024-4620?

Update to 6.6 or newer where that release is compatible with the site.

Vulnerability Report

Plugin Critical Patch path listed CVE-2024-4620

ARForms Form Builder <= 6.5 - Unauthenticated Arbitrary File Upload

The ARforms plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in all versions up to, and including, 6.5. This makes it possible for unauthenticated attackers to upload arbitrary files on the affected site's server which may make remote code execution possible.

Quick Answer

CVE-2024-4620 is a critical severity with CVSS 10.0 Remote Code Execution issue affecting the Plugin ARforms. It affects Versions up to 6.5 and is fixed in 6.6.

Back to Feed View Plugin Hub Open CVE Reference

Published

May 17, 2024

Last Updated

Jun 18, 2024

Slug

arforms

Risk Profile

10.0 CVSS Score

Weakness

Unrestricted Upload of File with Dangerous Type

Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

Researchers

Thura Moe Myint (mgthuramoemyint)

Operational Summary

What the operator needs to know

Share Email

Patch Status

Patched release is available

Remediation

Update to version 6.6, or a newer patched version

Operator Briefing

CVE-2024-4620 is tracked for the Plugin ARforms as critical severity with CVSS 10.0. The affected range is Versions up to 6.5. Update ARforms to 6.6 or newer where that version is compatible with the site.

Issue Type

Remote Code Execution

Primary Fixed Version

6.6

Primary Affected Range

Versions up to 6.5

Tracking ID

CVE-2024-4620

References

https://www.wordfence.com/threat-intel/vulnerabilities/id/10bad8bc-ee0a-48e6-b7f9-6651a7ab3049?source=api-prod

Detailed Metadata

Software Type	Plugin
Software Slug	arforms View on wordpress.org
CVE	CVE-2024-4620
Patched Versions	6.6
Affected Versions	Versions up to 6.5

Related CVE Cluster

Related CVEs for ARforms

These internal links group the same WordPress plugin by CVE, issue type, severity, and patch status so operators and search engines can connect the full vulnerability cluster.

High CVE-2024-32706 6.4.1 Apr 22, 2024

CVE-2024-32706 ARforms SQL Injection

ARforms <= 6.4 - Authenticated (Subscriber+) SQL Injection

High CVE-2024-32703 6.4.1 Apr 22, 2024

CVE-2024-32703 ARforms Vulnerability

ARForms <= 6.4 - Missing Authorization to Arbitrary File Deletion

High CVE-2024-54216 No patch listed Dec 02, 2024

CVE-2024-54216 ARforms Vulnerability

ARForms <= 6.4.1 - Directory Traversal to Authenticated (Subscriber+) Arbitrary File Read

High CVE-2019-16902 4.0 Oct 11, 2019

CVE-2019-16902 ARforms Vulnerability

ARforms <= 3.7.1 - Unauthenticated Arbitrary File Deletion

High CVE-2018-15818 3.5.2 Oct 17, 2018

CVE-2018-15818 ARforms Vulnerability

Repute ARForms <= 3.5.1 - Unauthenticated Arbitrary File Deletion via Path Traversal

Medium CVE-2024-0427 6.4.1 May 22, 2024

CVE-2024-0427 ARforms Cross-Site Scripting

ARForms - Premium WordPress Form Builder <= 6.4.0 - Reflected Cross-Site Scripting

Medium CVE-2024-32702 6.4.1 Apr 22, 2024

CVE-2024-32702 ARforms Cross-Site Scripting

ARforms <= 6.4 - Reflected Cross-Site Scripting

Medium CVE-2024-54217 No patch listed Dec 02, 2024

CVE-2024-54217 ARforms Vulnerability

ARForms <= 6.4.1 - Missing Authorization to Plugin Settings Change

Licensing Notices

This record contains material that is subject to copyright

DEFIANT

License: Defiant hereby grants you a perpetual, worldwide, non-exclusive, no-charge, royalty-free, irrevocable copyright license to reproduce, prepare derivative works of, publicly display, publicly perform, sublicense, and distribute this software vulnerability information. Any copy of the software vulnerability information you make for such purposes is authorized provided that you include a hyperlink to this vulnerability record and reproduce Defiant's copyright designation and this license in any such copy. Read more

MITRE

License: CVE Usage: MITRE hereby grants you a perpetual, worldwide, non-exclusive, no-charge, royalty-free, irrevocable copyright license to reproduce, prepare derivative works of, publicly display, publicly perform, sublicense, and distribute Common Vulnerabilities and Exposures (CVE®). Any copy you make for such purposes is authorized provided that you reproduce MITRE's copyright designation and this license in any such copy. Read more