CVE-2024-4620 – This vulnerability in the ARForms WordPress plu... (How to Fix)

Q: What is the severity of CVE-2024-4620?

CVE-2024-4620 has a CVSS score of 9.8 (CRITICAL). This vulnerability in the ARForms WordPress plugin allows unauthenticated attackers to upload malicious PHP files through form submissions. Any WordPress site using ARForms plugin versions before 6.6 is affected, potentially leading to remote code execution.

📋 TL;DR

This vulnerability in the ARForms WordPress plugin allows unauthenticated attackers to upload malicious PHP files through form submissions. Any WordPress site using ARForms plugin versions before 6.6 is affected, potentially leading to remote code execution.

💻 Affected Systems

Products:

ARForms - Premium WordPress Form Builder Plugin

Versions: All versions before 6.6

Operating Systems: Any OS running WordPress

Default Config Vulnerable: ⚠️ Yes

Notes: Requires a form with file upload functionality to be exploitable.

📦 What is this software?

Arforms by Reputeinfosystems

View all CVEs affecting Arforms →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete server compromise via remote code execution, allowing attackers to install backdoors, steal data, or pivot to other systems.

🟠

Likely Case

Website defacement, malware injection, or data theft through uploaded web shells.

🟢

If Mitigated

Limited impact if file uploads are disabled or proper file type validation is implemented.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Exploitation is straightforward and requires no authentication.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 6.6

Vendor Advisory: https://wpscan.com/vulnerability/dc34dc2d-d5a1-4e28-8507-33f659ead647/

Restart Required: No

Instructions:

1. Log into WordPress admin panel. 2. Navigate to Plugins > Installed Plugins. 3. Find ARForms plugin. 4. Click 'Update Now' if available. 5. Alternatively, download version 6.6+ from WordPress repository and manually update.

🔧 Temporary Workarounds

Disable file uploads in ARForms

all

Temporarily remove or disable file upload fields from all ARForms forms.

Web server file type restrictions

linux

Configure web server to block .php file uploads to upload directories.

# Apache .htaccess example:
<FilesMatch "\.(php|php5|php7|phtml)$">
    Order Allow,Deny
    Deny from all
</FilesMatch>

🧯 If You Can't Patch

Disable the ARForms plugin entirely until patched
Implement WAF rules to block suspicious file uploads containing PHP code

🔍 How to Verify

Check if Vulnerable:

Check WordPress admin > Plugins > Installed Plugins for ARForms version. If version is below 6.6, site is vulnerable.

Check Version:

# WordPress CLI:
wp plugin list --name=arforms --field=version
# Or check wp-content/plugins/arforms/readme.txt

Verify Fix Applied:

Confirm ARForms plugin version is 6.6 or higher in WordPress admin panel.

📡 Detection & Monitoring

Log Indicators:

Unusual file uploads to ARForms upload directories
.php files in upload folders
POST requests to ARForms endpoints with file uploads

Network Indicators:

HTTP POST requests with file uploads to /wp-content/plugins/arforms/ endpoints

SIEM Query:

source="web_server" AND (uri_path="/wp-content/plugins/arforms/" OR user_agent CONTAINS "ARForms") AND http_method="POST" AND content_type CONTAINS "multipart/form-data"

📊 Metadata

CVE ID: CVE-2024-4620

CVSS v3 Score: 9.8 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Published: June 7, 2024

Last Updated: May 1, 2025

🔗 References

https://wpscan.com/vulnerability/dc34dc2d-d5a1-4e28-8507-33f659ead647/ Exploit,Third Party Advisory
https://wpscan.com/vulnerability/dc34dc2d-d5a1-4e28-8507-33f659ead647/ Exploit,Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON