CVE-2024-5084 – The Hash Form WordPress plugin allows unauthent... (How to Fix)

Q: What is the severity of CVE-2024-5084?

CVE-2024-5084 has a CVSS score of 9.8 (CRITICAL). The Hash Form WordPress plugin allows unauthenticated attackers to upload arbitrary files due to missing file type validation. This vulnerability affects all versions up to 1.1.0 and can lead to remote code execution on vulnerable WordPress sites.

📋 TL;DR

The Hash Form WordPress plugin allows unauthenticated attackers to upload arbitrary files due to missing file type validation. This vulnerability affects all versions up to 1.1.0 and can lead to remote code execution on vulnerable WordPress sites.

💻 Affected Systems

Products:

Hash Form – Drag & Drop Form Builder WordPress plugin

Versions: All versions up to and including 1.1.0

Operating Systems: Any OS running WordPress

Default Config Vulnerable: ⚠️ Yes

Notes: All WordPress installations with vulnerable plugin versions are affected regardless of configuration.

📦 What is this software?

Hash Form by Hashthemes

View all CVEs affecting Hash Form →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete server compromise via remote code execution, allowing attackers to install malware, steal data, or create backdoors.

🟠

Likely Case

Attackers upload web shells to gain persistent access, deface websites, or use servers for malicious activities.

🟢

If Mitigated

File uploads blocked or restricted to safe file types only, preventing code execution.

🌐 Internet-Facing: HIGH - Unauthenticated exploitation makes internet-facing WordPress sites immediately vulnerable.

🏢 Internal Only: MEDIUM - Internal systems still vulnerable but require network access.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Simple file upload bypass with no authentication required, making exploitation trivial.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 1.1.1

Vendor Advisory: https://plugins.trac.wordpress.org/changeset/3090341/

Restart Required: No

Instructions:

1. Update Hash Form plugin to version 1.1.1 or later via WordPress admin panel. 2. Verify update completed successfully. 3. Test file upload functionality.

🔧 Temporary Workarounds

Disable plugin

all

Temporarily disable Hash Form plugin until patched

wp plugin deactivate hash-form

Restrict file uploads

linux

Block file uploads via web application firewall or .htaccess

# Add to .htaccess: RewriteRule ^wp-content/plugins/hash-form/.*\.(php|phtml|php3|php4|php5|php7|phps)$ - [F,L]

🧯 If You Can't Patch

Remove plugin entirely if not essential
Implement strict file upload filtering at web server level

🔍 How to Verify

Check if Vulnerable:

Check WordPress admin > Plugins > Hash Form version. If version ≤ 1.1.0, vulnerable.

Check Version:

wp plugin get hash-form --field=version

Verify Fix Applied:

Verify plugin version is 1.1.1 or higher and test file upload with malicious extensions.

📡 Detection & Monitoring

Log Indicators:

Unusual file uploads to hash-form plugin directory
PHP files with suspicious names in uploads

Network Indicators:

POST requests to /wp-admin/admin-ajax.php with file upload parameters

SIEM Query:

source="web_logs" AND uri="/wp-admin/admin-ajax.php" AND action="file_upload_action" AND file_extension IN ("php", "phtml", "php3")

📊 Metadata

CVE ID: CVE-2024-5084

CVSS v3 Score: 9.8 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-434

Published: May 23, 2024

Last Updated: February 27, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-5084, you might also want to check these: