Skip to main content

Multi Purpose Mail Form CVE-2024-50484

CRITICAL
Unrestricted Upload of File with Dangerous Type (CWE-434)
2024-10-29 audit@patchstack.com
10.0
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
10.0 CRITICAL
AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Changed
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

2
CVSS changed
Apr 23, 2026 - 15:22 NVD
10.0 (CRITICAL)
CVE Published
Oct 29, 2024 - 08:15 nvd
N/A

DescriptionCVE.org

Unrestricted Upload of File with Dangerous Type vulnerability in Lindeni Mahlalela Multi Purpose Mail Form multi-purpose-mail-form allows Upload a Web Shell to a Web Server.This issue affects Multi Purpose Mail Form: from n/a through <= 1.0.2.

AnalysisAI

Unrestricted file upload in Lindeni Mahlalela's Multi Purpose Mail Form WordPress plugin (versions up to and including 1.0.2) allows remote unauthenticated attackers to upload web shells and achieve remote code execution on the underlying web server. The CVSS 10.0 score reflects the worst-case scenario: network reachable, no authentication, no user interaction, and scope-changed impact across confidentiality, integrity, and availability. No public exploit identified at time of analysis, though EPSS places this in the 82nd percentile, indicating above-average exploitation likelihood relative to other CVEs.

Technical ContextAI

The vulnerability lies in the Multi Purpose Mail Form WordPress plugin, which provides configurable contact/mail forms with file attachment functionality. CWE-434 (Unrestricted Upload of File with Dangerous Type) indicates the plugin fails to validate uploaded file extensions, MIME types, or content against an allowlist before persisting them to a web-accessible directory. In WordPress contexts, this typically manifests as a form handler that accepts attachments via POST and writes them to wp-content/uploads or a plugin-specific directory, where PHP files placed there are executed by the web server, granting the attacker the privileges of the PHP/web server user.

Affected ProductsAI

The Lindeni Mahlalela Multi Purpose Mail Form WordPress plugin (slug: multi-purpose-mail-form) is affected in all versions from unspecified initial release through and including 1.0.2. No CPE strings were provided in the input data. The advisory originates from Patchstack (audit@patchstack.com), and details should be cross-referenced against the Patchstack vulnerability database for the authoritative affected/fixed version mapping.

RemediationAI

No vendor-released patch identified at time of analysis - the affected range is documented as 'n/a through <= 1.0.2' with no confirmed fixed version. Administrators should immediately deactivate and uninstall the Multi Purpose Mail Form plugin from any WordPress site where it is in use, and audit wp-content/uploads and the plugin's upload directory for unexpected PHP, .phtml, .phar, or other executable files indicating prior compromise. As compensating controls until a fix is published, restrict execution of PHP within upload directories via .htaccess rules (Apache: 'php_flag engine off' or denying .php handlers in /uploads) or nginx location blocks, and place the site behind a WAF such as Patchstack, Wordfence, or Cloudflare with file-upload signature protection enabled - note that .htaccess controls do not help if the plugin writes to a non-standard path. Replace the plugin's functionality with a maintained alternative (e.g., Contact Form 7, WPForms, Fluent Forms) before removal to avoid breaking site functionality.

Share

CVE-2024-50484 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy