CyberAlerts is shutting down on June 30th, 2025. Thank you for your support!

CVE-2024-12427: Multi Step Form <= 1.7.23 - Missing Authorization to Unauthenticated Limited File Upload

5.3 CVSS

Description

The Multi Step Form plugin for WordPress is vulnerable to unauthorized limited file upload due to a missing capability check on the fw_upload_file AJAX action in all versions up to, and including, 1.7.23. This makes it possible for unauthenticated attackers to upload limited file types such as images.

Classification

CVE ID: CVE-2024-12427

CVSS Base Severity: MEDIUM

CVSS Base Score: 5.3

Affected Products

Vendor: mondula2016

Product: Multi Step Form

Exploit Prediction Scoring System (EPSS)

EPSS Score: 0.05% (probability of being exploited)

EPSS Percentile: 23.32% (scored less or equal to compared to others)

EPSS Date: 2025-02-14 (when was this score calculated)

References

https://www.wordfence.com/threat-intel/vulnerabilities/id/f0a31fee-ccc2-4c3b-b198-6cb750188113?source=cve
https://plugins.trac.wordpress.org/browser/multi-step-form/tags/1.7.22/includes/lib/msf-shortcode.class.php#L100
https://plugins.trac.wordpress.org/browser/multi-step-form/tags/1.7.22/includes/lib/msf-shortcode.class.php#L30
https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3219723%40multi-step-form&new=3219723%40multi-step-form&sfp_email=&sfph_mail=

Timeline

2025-01-17 00:30:14 UTC
CVE

Multi Step Form <= 1.7.23 - Missing Authorization to Unauthenticated Limited File Upload