CVE-2021-24224
HIGHEasy Form Builder < 1.0 - Authenticated Arbitrary File Upload via EFBP_verify_upload_file AJAX Action
Title source: llmDescription
The EFBP_verify_upload_file AJAX action of the Easy Form Builder WordPress plugin through 1.0, available to authenticated users, does not have any security in place to verify uploaded files, allowing low privilege users to upload arbitrary files, leading to RCE.
References (2)
Core 2
Core References
Third Party Advisory x_refsource_confirm
https://wpscan.com/vulnerability/ed0c054b-54bf-4df8-9015-c76704c93484
Exploit, Third Party Advisory x_refsource_misc
https://github.com/jinhuang1102/CVE-ID-Reports/blob/e4c33529b20fa70e3a764ff9b1125839fb9900b5/Easy%20Form%20Builder.md
Scores
CVSS v3
8.8
EPSS
0.0191
EPSS Percentile
77.2%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Details
CWE
CWE-434
Status
published
Products (1)
easy-form-builder-by-bitware_project/easy-form-builder-by-bitware
< 1.0
Published
Apr 12, 2021
Tracked Since
Feb 18, 2026