CVE-2024-6311 – The Funnelforms Free WordPress plugin allows au... (How to Fix)

Q: What is the severity of CVE-2024-6311?

CVE-2024-6311 has a CVSS score of 7.2 (HIGH). The Funnelforms Free WordPress plugin allows authenticated administrators to upload arbitrary files due to missing file type validation. This vulnerability can lead to remote code execution on affected WordPress sites. Only WordPress installations with the vulnerable plugin versions are affected.

📋 TL;DR

The Funnelforms Free WordPress plugin allows authenticated administrators to upload arbitrary files due to missing file type validation. This vulnerability can lead to remote code execution on affected WordPress sites. Only WordPress installations with the vulnerable plugin versions are affected.

💻 Affected Systems

Products:

Funnelforms Free WordPress Plugin

Versions: All versions up to and including 3.7.3.2

Operating Systems: Any OS running WordPress

Default Config Vulnerable: ⚠️ Yes

Notes: Requires attacker to have administrator-level WordPress access. Plugin must be active and accessible.

📦 What is this software?

Funnelforms Free by Funnelforms

View all CVEs affecting Funnelforms Free →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers with administrator access upload malicious PHP files and achieve full server compromise, potentially leading to data theft, site defacement, or ransomware deployment.

🟠

Likely Case

Attackers upload web shells or backdoors to maintain persistent access, steal sensitive data, or use the server for further attacks.

🟢

If Mitigated

With proper file upload restrictions and web application firewalls, exploitation attempts are blocked or detected before successful compromise.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: LIKELY

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploitation requires administrator credentials but is technically simple once access is obtained.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 3.7.4.1

Vendor Advisory: https://plugins.trac.wordpress.org/browser/funnelforms-free/tags/3.7.4.1/admin/menu_ajax_functions/formularbuilder_fonts.php?rev=3141470#L50

Restart Required: No

Instructions:

1. Log into WordPress admin panel. 2. Navigate to Plugins → Installed Plugins. 3. Find Funnelforms Free and click 'Update Now'. 4. Verify version is 3.7.4.1 or higher.

🔧 Temporary Workarounds

Disable Plugin

all

Temporarily deactivate the vulnerable plugin until patching is possible.

wp plugin deactivate funnelforms-free

Restrict File Uploads

linux

Configure web server to block execution of uploaded files in WordPress upload directories.

# Add to .htaccess in wp-content/uploads:
<Files *.php>
    Order Deny,Allow
    Deny from all
</Files>

🧯 If You Can't Patch

Remove administrator access from untrusted users and implement strong password policies
Implement web application firewall rules to block suspicious file uploads

🔍 How to Verify

Check if Vulnerable:

Check WordPress admin → Plugins → Installed Plugins for Funnelforms Free version ≤3.7.3.2

Check Version:

wp plugin get funnelforms-free --field=version

Verify Fix Applied:

Confirm plugin version is ≥3.7.4.1 in WordPress admin panel

📡 Detection & Monitoring

Log Indicators:

Unusual file uploads to /wp-content/uploads/funnelforms/
POST requests to admin-ajax.php with action=af2_add_font

Network Indicators:

Unexpected outbound connections from WordPress server
File uploads containing executable code

SIEM Query:

source="wordpress.log" AND (uri="/wp-admin/admin-ajax.php" AND parameters.action="af2_add_font")

📊 Metadata

CVE ID: CVE-2024-6311

CVSS v3 Score: 7.2 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-434

Published: August 28, 2024

Last Updated: September 12, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-6311, you might also want to check these: