CVE-2024-7447
MEDIUMFunnelforms Free <= 3.7.3.2 - Unauthenticated Arbitrary File Upload via fnsf_af2_handel_file_upload
Title source: llmDescription
The Interactive Contact Form and Multi Step Form Builder with Drag & Drop Editor – Funnelforms Free plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'fnsf_af2_handel_file_upload' function in all versions up to, and including, 3.7.3.2. This makes it possible for unauthenticated attackers to upload arbitrary media to the site, even if no forms exist.
References (3)
Core 3
Core References
Scores
CVSS v3
5.3
EPSS
0.0040
EPSS Percentile
32.1%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
CISA SSVC
Vulnrichment
Exploitation
none
Automatable
yes
Technical Impact
partial
Details
CWE
CWE-862
Status
published
Products (2)
funnelforms/funnelforms_free
< 3.7.4.1
funnelforms/Interactive Contact Form and Multi Step Form Builder with Drag & Drop Editor – Funnelforms Free
< 3.7.3.2
Published
Aug 28, 2024
Tracked Since
Feb 18, 2026