CVE-2024-5857

MEDIUM

Funnelforms Free <= 3.7.3.2 - Unauthenticated Arbitrary Media File Deletion via af2_handel_file_remove AJAX Action

Title source: llm
STIX 2.1

Description

The Interactive Contact Form and Multi Step Form Builder with Drag & Drop Editor – Funnelforms Free plugin for WordPress is vulnerable to unauthorized loss of data due to a missing capability check on the af2_handel_file_remove AJAX action in all versions up to, and including, 3.7.3.2. This makes it possible for unauthenticated attackers to delete arbitrary media files.

Scores

CVSS v3 5.3
EPSS 0.0032
EPSS Percentile 23.5%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

CISA SSVC

Vulnrichment
Exploitation none
Automatable yes
Technical Impact partial

Details

CWE
CWE-862
Status published
Products (2)
funnelforms/funnelforms_free < 3.7.4.1
funnelforms/Interactive Contact Form and Multi Step Form Builder with Drag & Drop Editor – Funnelforms Free < 3.7.3.2
Published Aug 29, 2024
Tracked Since Feb 18, 2026