CVE-2024-1169
Post Form – Registration Form – Profile Form for User Profiles – Frontend Content Forms for User Submissions (UGC) <= 2.8.7 - Missing Authorization to Unauthenticated Media Upload
CVSS Score
7.5
EPSS Score
0.0%
EPSS Percentile
0th
The Post Form – Registration Form – Profile Form for User Profiles – Frontend Content Forms for User Submissions (UGC) plugin for WordPress is vulnerable to unauthorized media upload due to a missing capability check on the buddyforms_upload_handle_dropped_media function in all versions up to, and including, 2.8.7. This makes it possible for unauthenticated attackers to upload media files.
| CWE | CWE-862 |
| Vendor | themekraft |
| Product | post form – registration form – profile form for user profiles – frontend content forms for user submissions (ugc) |
| Published | Mar 7, 2024 |
| Last Updated | Apr 8, 2026 |
Stay Ahead of the Next One
Get instant alerts for themekraft post form – registration form – profile form for user profiles – frontend content forms for user submissions (ugc)
Be the first to know when new high vulnerabilities affecting themekraft post form – registration form – profile form for user profiles – frontend content forms for user submissions (ugc) are published — delivered to Slack, Telegram or Discord.
Get Free Alerts →
Free · No credit card · 60 sec setup
CVSS v3 Breakdown
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality
Integrity
Availability
Affected Versions
themekraft / Post Form – Registration Form – Profile Form for User Profiles – Frontend Content Forms for User Submissions (UGC)
0 ≤ 2.8.7
References
wordfence.com: https://www.wordfence.com/threat-intel/vulnerabilities/id/6d14a90d-65ea-45da-956b-0735e2e2b538?source=cve plugins.trac.wordpress.org: https://plugins.trac.wordpress.org/browser/buddyforms/trunk/includes/functions.php#L1466 plugins.trac.wordpress.org: https://plugins.trac.wordpress.org/changeset/3046092/buddyforms/trunk/includes/functions.php?contextall=1&old=3023795&old_path=%2Fbuddyforms%2Ftrunk%2Fincludes%2Ffunctions.php
Credits
Lucio Sá