CVE-2024-8756

MEDIUM

Quform - WordPress Form Builder <2.20.0 - Info Disclosure

Title source: llm

Description

The Quform - WordPress Form Builder plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 2.20.0 via the 'saveUploadedFile' function. This makes it possible for unauthenticated attackers to extract sensitive data, such as Personally Identifiable Information, from files uploaded by users. Files uploaded via forms created before version 2.21.0 will remain vulnerable to exposure after upgrading. To fully patch the plugin, site administrators should download any previously uploaded files, delete previously existing files and forms, and create the forms again after upgrading to version 2.21.0.

References (2)

Core 2

Core References

Various Sources

https://codecanyon.net/item/quform-wordpress-form-builder/706149

Third Party Advisory

https://www.wordfence.com/threat-intel/vulnerabilities/id/beb8ea66-3cd7-452f-9e64-8439de0ddc55?source=cve

Scores

CVSS v3 5.3

EPSS 0.0037

EPSS Percentile 29.1%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

CISA SSVC

Vulnrichment

Exploitation none

Automatable yes

Technical Impact partial

Details

CWE

CWE-200

Status published

Products (1)

ThemeCatcher/Quform - WordPress Form Builder < 2.20.0

Published Nov 09, 2024

Tracked Since Feb 18, 2026