CVE-2023-6133

MEDIUM Year: 2023
CVSS v3 Score
4.9
Medium
Weakness Type
CWE-434
View all →

Vulnerability Description

The Forminator plugin for WordPress is vulnerable to arbitrary file uploads due to insufficient blacklisting on the 'forminator_allowed_mime_types' function in versions up to, and including, 1.27.0. This makes it possible for authenticated attackers with administrator-level capabilities or above to upload arbitrary files on the affected site's server, but due to the htaccess configuration, remote code cannot be executed.

Related Vulnerabilities

CVE-2017-11404

MEDIUM
CVSS:4.9(Medium)

In CMS Made Simple (CMSMS) 2.2.2, remote authenticated administrators can upload a .php file via a FileManager action to admin/moduleinterface.php.

CWE-4342017

CVE-2017-11405

MEDIUM
CVSS:4.9(Medium)

In CMS Made Simple (CMSMS) 2.2.2, remote authenticated administrators can upload a .php file via a CMSContentManager action to admin/moduleinterface.php, followed by a FilePicker action to admin/modul...

CWE-4342017

CVE-2018-16373

MEDIUM
CVSS:4.9(Medium)

Frog CMS 0.9.5 has an Upload vulnerability that can create files via /admin/?/plugin/file_manager/save.

CWE-4342018

CVE-2018-16397

MEDIUM
CVSS:4.9(Medium)

In LimeSurvey before 3.14.7, an admin user can leverage a "file upload" question to read an arbitrary file,

CWE-4342018

CVE-2019-8140

MEDIUM
CVSS:4.9(Medium)

An unrestricted file upload vulnerability exists in Magento 2.2 prior to 2.2.10, Magento 2.3 prior to 2.3.3 or 2.3.2-p1. An authenticated admin user can manipulate the Synchronization feature in the M...

CWE-4342019

CVE-2020-6975

MEDIUM
CVSS:4.9(Medium)

Digi International ConnectPort LTS 32 MEI, Firmware Version 1.4.3 (82002228_K 08/09/2018), bios Version 1.2. Successful exploitation of this vulnerability could allow an attacker to upload a malicious...

CWE-4342020