CVE-2024-7447
📋 TL;DR
This vulnerability allows unauthenticated attackers to upload arbitrary files to WordPress sites using the Funnelforms Free plugin. Any WordPress site running vulnerable versions of this plugin is affected, regardless of whether forms are configured.
💻 Affected Systems
- Funnelforms Free - Interactive Contact Form and Multi Step Form Builder with Drag & Drop Editor for WordPress
📦 What is this software?
Funnelforms Free by Funnelforms
⚠️ Risk & Real-World Impact
Worst Case
Attackers could upload malicious PHP files and achieve remote code execution, potentially taking full control of the WordPress site and underlying server.
Likely Case
Attackers upload malicious files (webshells, malware) to compromise the site, deface content, or use the site for phishing campaigns.
If Mitigated
With proper file type restrictions and web application firewalls, impact is limited to storage consumption and potential denial of service.
🎯 Exploit Status
Simple HTTP POST request to vulnerable endpoint. Public exploit code available in references.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 3.7.3.3 or later
Vendor Advisory: https://plugins.trac.wordpress.org/changeset/3141470/
Restart Required: No
Instructions:
1. Log into WordPress admin panel. 2. Go to Plugins → Installed Plugins. 3. Find Funnelforms Free. 4. Click 'Update Now' if available. 5. If no update shows, manually download version 3.7.3.3+ from WordPress.org and replace plugin files.
🔧 Temporary Workarounds
Disable plugin
allTemporarily deactivate the vulnerable plugin until patched
wp plugin deactivate funnelforms-free
Web Application Firewall rule
allBlock requests to the vulnerable endpoint
Block POST requests to /wp-content/plugins/funnelforms-free/frontend/frontend.php with parameter 'action=fnsf_af2_handel_file_upload'
🧯 If You Can't Patch
- Implement strict file upload restrictions at web server level
- Monitor upload directories for suspicious files and implement file integrity monitoring
🔍 How to Verify
Check if Vulnerable:
Check WordPress admin → Plugins → Funnelforms Free version. If version ≤ 3.7.3.2, vulnerable.Check Version:
wp plugin get funnelforms-free --field=versionVerify Fix Applied:
Confirm plugin version is 3.7.3.3 or higher. Test file upload functionality from unauthenticated context should fail.📡 Detection & Monitoring
Log Indicators:
- POST requests to /wp-content/plugins/funnelforms-free/frontend/frontend.php with action=fnsf_af2_handel_file_upload from unauthenticated users
- Unexpected file uploads to wp-content/uploads/funnelforms/ directory
Network Indicators:
- Unusual file upload traffic to WordPress site from unknown IPs
- POST requests with file uploads to plugin endpoint without authentication
SIEM Query:
source="web_access_logs" AND uri_path="/wp-content/plugins/funnelforms-free/frontend/frontend.php" AND http_method="POST" AND NOT user_agent="WordPress/*"