.. / CVE-2024-5084

Exploit for Hash Form <= 1.1.0 - Arbitrary File Upload (CVE-2024-5084)

Description:

The Hash Form Drag & Drop Form Builder plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the ‘file_upload_action’ function in all versions up to, and including, 1.1.0. This makes it possible for unauthenticated attackers to upload arbitrary files on the affected site’s server which may make remote code execution possible.

Nuclei Template

View the template here CVE-2024-5084.yaml

Validate with Nuclei

echo "$URL" | nuclei -t ~/nuclei-templates/http/cves/2024/CVE-2024-5084.yaml
Copy

References:

https://nvd.nist.gov/vuln/detail/CVE-2024-5084
https://github.com/WOOOOONG/CVE-2024-5084/blob/main/CVE-2024-5084_exploit.py
https://www.wordfence.com/threat-intel/vulnerabilities/wordpress-plugins/hash-form/hash-form-drag-drop-form-builder-110-unauthenticated-arbitrary-file-upload-to-remote-code-execution