CVE-2024-12267

MEDIUM Year: 2024
CVSS v3 Score
5.3
Medium
Weakness Type
CWE-73
View all →

Vulnerability Description

The Drag and Drop Multiple File Upload – Contact Form 7 plugin for WordPress is vulnerable to limited arbitrary file deletion due to insufficient file path validation in the dnd_codedropz_upload_delete() function in all versions up to, and including, 1.3.8.5. This makes it possible for unauthenticated attackers to delete limited arbitrary files on the server. It is not possible to delete files like wp-config.php that would make RCE possible.

Related Vulnerabilities

CVE-2022-2400

MEDIUM
CVSS:5.3(Medium)

External Control of File Name or Path in GitHub repository dompdf/dompdf prior to 2.0.0.

CWE-732022

CVE-2022-34765

MEDIUM
CVSS:5.3(Medium)

A CWE-73: External Control of File Name or Path vulnerability exists that could cause loading of unauthorized firmware images when user-controlled data is written to the file path. Affected Products: ...

CWE-732022

CVE-2022-45213

MEDIUM
CVSS:5.3(Medium)

perfSONAR before 4.4.6 inadvertently supports the parse option for a file:// URL.

CWE-732022

CVE-2023-30943

MEDIUM
CVSS:5.3(Medium)

The vulnerability was found Moodle which exists because the application allows a user to control path of the older to create in TinyMCE loaders. A remote user can send a specially crafted HTTP request...

CWE-732023

CVE-2023-47147

MEDIUM
CVSS:5.3(Medium)

IBM Sterling Secure Proxy 6.0.3 and 6.1.0 could allow an attacker to overwrite a log message under specific conditions. IBM X-Force ID: 270598.

CWE-732023

CVE-2024-12357

MEDIUM
CVSS:5.3(Medium)

A vulnerability was found in SourceCodester Best House Rental Management System 1.0 and classified as problematic. Affected by this issue is some unknown functionality of the file /index.php. The mani...

CWE-732024