CVE-2024-51791

CRITICAL

Made I.T. Forms <= 2.8.0 - Unauthenticated Arbitrary File Upload

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 1 public exploit for CVE-2024-51791. PoCs published by JoshuaProvoste.

AI-analyzed exploit summary This is a functional exploit for CVE-2024-51791, an unauthenticated arbitrary file upload vulnerability in a WordPress forms plugin. It uploads a PHP payload, locates the uploaded file, detects the OS, and provides an interactive shell.

Description

Unrestricted Upload of File with Dangerous Type vulnerability in Made I.T. Forms forms-by-made-it allows Upload a Web Shell to a Web Server.This issue affects Forms: from n/a through <= 2.8.0.

Exploits (1)

nomisec WORKING POC 1 stars
by JoshuaProvoste · poc
https://github.com/JoshuaProvoste/0-click-RCE-Exploit-for-CVE-2024-51791

This is a functional exploit for CVE-2024-51791, an unauthenticated arbitrary file upload vulnerability in a WordPress forms plugin. It uploads a PHP payload, locates the uploaded file, detects the OS, and provides an interactive shell.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: WordPress plugin (version not explicitly specified, but likely <= 2.7.0 based on included files)
No auth needed
Prerequisites: Target URL with vulnerable form endpoint · Form ID value
devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (3)

Core 3

Scores

CVSS v3 10.0
EPSS 0.0061
EPSS Percentile 44.6%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

CISA SSVC

Vulnrichment
Exploitation none
Automatable yes
Technical Impact total

Details

CWE
CWE-434
Status published
Products (1)
Made I.T./Forms < 2.8.0
Published Nov 11, 2024
Tracked Since Feb 18, 2026