CVE-2024-5084

CRITICAL NUCLEI

Hash Form - Drag & Drop Form Builder <= 1.1.0 - Unauthenticated Arbitrary File Upload via file_upload_action Function

Title source: llm

Exploitation Summary

EIP tracks 7 public exploits for CVE-2024-5084. PoCs published by Chocapikk, RedTeamBlueTeam, Raeezrbr, including Metasploit module exploits/multi/http/wp_hash_form_rce. A Nuclei detection template is also available.

AI-analyzed exploit summary This repository contains a functional exploit for CVE-2024-5084, an unauthenticated arbitrary file upload vulnerability in the Hash Form WordPress plugin (versions <= 1.1.0). The exploit uploads a PHP shell and provides an interactive command execution interface.

Description

The Hash Form – Drag & Drop Form Builder plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the 'file_upload_action' function in all versions up to, and including, 1.1.0. This makes it possible for unauthenticated attackers to upload arbitrary files on the affected site's server which may make remote code execution possible.

Exploits (7)

nomisec WORKING POC 8 stars

by Chocapikk · poc

https://github.com/Chocapikk/CVE-2024-5084

View Code ZIP pw:eip

This repository contains a functional exploit for CVE-2024-5084, an unauthenticated arbitrary file upload vulnerability in the Hash Form WordPress plugin (versions <= 1.1.0). The exploit uploads a PHP shell and provides an interactive command execution interface.

Classification

Working Poc 95%

Attack Type

Rce

Complexity

Moderate

Reliability

Reliable

Target: Hash Form – Drag & Drop Form Builder <= 1.1.0

No auth needed

Prerequisites: Target WordPress site with vulnerable Hash Form plugin · Network access to the target

MITRE ATT&CK

T1190 - Exploit Public-Facing Application T1505.003 - Web Shell

devstral-2 · analyzed Feb 16, 2026 Full analysis →

nomisec WORKING POC 1 stars

by RedTeamBlueTeam · poc

https://github.com/RedTeamBlueTeam/CVE-2024-5084-Red-Team

View Code ZIP pw:eip

This repository contains a functional proof-of-concept exploit for CVE-2024-5084, an unauthenticated file upload vulnerability in the Hash Form WordPress plugin (≤ 1.1.0) leading to remote code execution. The exploit uploads a malicious PHP file and provides an interactive shell for command execution.

Classification

Working Poc 95%

Attack Type

Rce

Complexity

Moderate

Reliability

Reliable

Target: Hash Form – Drag & Drop Form Builder (≤ 1.1.0)

No auth needed

Prerequisites: WordPress with vulnerable Hash Form plugin installed · Network access to the target WordPress site

MITRE ATT&CK

T1190 - Exploit Public-Facing Application T1203 - Exploitation for Client Execution T1505 - Server Software Component

devstral-2 · analyzed Feb 16, 2026 Full analysis →

nomisec WORKING POC

by Raeezrbr · poc

https://github.com/Raeezrbr/CVE-2024-5084

View Code ZIP pw:eip

This is a functional exploit for CVE-2024-5084, targeting an arbitrary file upload vulnerability in the Hash Form WordPress plugin. It uploads a PHP reverse shell and triggers it to achieve remote code execution.

Classification

Working Poc 95%

Attack Type

Rce

Complexity

Moderate

Reliability

Reliable

Target: Hash Form – Drag & Drop Form Builder WordPress plugin <= 1.1.0

No auth needed

Prerequisites: Python 3 · requests library · prompt_toolkit library · target WordPress site with vulnerable plugin · attacker-controlled server to receive reverse shell

MITRE ATT&CK

T1190 - Exploit Public-Facing Application T1505.003 - Web Shell

devstral-2 · analyzed Feb 16, 2026 Full analysis →

nomisec WORKING POC

by WOOOOONG · poc

https://github.com/WOOOOONG/CVE-2024-5084

View Code ZIP pw:eip

This PoC exploits an arbitrary file upload vulnerability in WordPress (CVE-2024-5084) by bypassing file extension restrictions to upload a malicious PHP file, enabling remote command execution via a web shell. The exploit automates nonce retrieval, file upload, and interactive command execution.

Classification

Working Poc 95%

Attack Type

Rce

Complexity

Moderate

Reliability

Reliable

Target: WordPress (specific version not specified in PoC)

No auth needed

Prerequisites: Target WordPress instance with vulnerable plugin/theme · Network access to wp-admin/admin-ajax.php

MITRE ATT&CK

T1190 - Exploit Public-Facing Application T1505.003 - Web Shell

devstral-2 · analyzed Feb 16, 2026 Full analysis →

nomisec WORKING POC

by NanoWraith · poc

https://github.com/NanoWraith/CVE-2024-5084

View Code ZIP pw:eip

This PoC exploits an arbitrary file upload vulnerability in the Hash Form WordPress plugin (CVE-2024-5084) by bypassing file extension restrictions to upload a PHP file. It checks for the vulnerable plugin version, retrieves a nonce, and uploads a PHP file to achieve remote code execution.

Classification

Working Poc 90%

Attack Type

Rce

Complexity

Moderate

Reliability

Reliable

Target: Hash Form WordPress plugin (versions other than 1.1.1)

No auth needed

Prerequisites: Target must have the vulnerable Hash Form plugin installed · WordPress site must be accessible

MITRE ATT&CK

T1105 - Ingress Tool Transfer T1505 - Server Software Component

devstral-2 · analyzed Feb 16, 2026 Full analysis →

nomisec WORKING POC

by KTN1990 · poc

https://github.com/KTN1990/CVE-2024-5084

View Code ZIP pw:eip

This is a functional exploit for CVE-2024-5084, targeting an unauthenticated arbitrary file upload vulnerability in the WordPress Hash Form plugin (versions <= 1.1.0). It uploads a PHP shell to achieve remote code execution.

Classification

Working Poc 95%

Attack Type

Rce

Complexity

Moderate

Reliability

Reliable

Target: WordPress Hash Form – Drag & Drop Form Builder <= 1.1.0

No auth needed

Prerequisites: Python 3 · list of target URLs · network access to vulnerable WordPress sites

MITRE ATT&CK

T1190 - Exploit Public-Facing Application T1505.003 - Web Shell

devstral-2 · analyzed Feb 16, 2026 Full analysis →

metasploit WORKING POC EXCELLENT

by Francesco Carlucci, Valentin Lobstein · rubypocphp

https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/multi/http/wp_hash_form_rce.rb

View Code ZIP pw:eip

This Metasploit module exploits an unauthenticated arbitrary file upload vulnerability in the WordPress Hash Form plugin (CVE-2024-5084), allowing remote code execution by uploading a malicious PHP file. It retrieves a nonce, uploads the payload, and triggers execution.

Classification

Working Poc 100%

Attack Type

Rce

Complexity

Moderate

Reliability

Reliable

Target: WordPress Hash Form - Drag & Drop Form Builder plugin <= 1.1.0

No auth needed

Prerequisites: Target running vulnerable WordPress Hash Form plugin · Network access to the WordPress site

MITRE ATT&CK

T1190 - Exploit Public-Facing Application T1203 - Exploitation for Client Execution

devstral-2 · analyzed Feb 16, 2026 Full analysis →

Nuclei Templates (1)

Hash Form <= 1.1.0 - Arbitrary File Upload

CRITICALVERIFIEDby s4e-io

References (3)

Core 3

Core References

Product

https://plugins.trac.wordpress.org/browser/hash-form/trunk/admin/classes/HashFormBuilder.php#L764

Patch

https://plugins.trac.wordpress.org/changeset/3090341/

Third Party Advisory

https://www.wordfence.com/threat-intel/vulnerabilities/id/eef9e2fa-d8f0-42bf-95ac-ee4cafff0b14?source=cve

Scores

CVSS v3 9.8

EPSS 0.5093

EPSS Percentile 98.8%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact total

Details

CWE

CWE-434

Status published

Products (2)

hashthemes/Hash Form – Drag & Drop Form Builder < 1.1.0

hashthemes/hash_form < 1.1.1

Published May 23, 2024

Tracked Since Feb 18, 2026