Multi Purpose Mail Form CVE-2024-50484
CRITICALSeverity by source
AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
Lifecycle Timeline
2DescriptionCVE.org
Unrestricted Upload of File with Dangerous Type vulnerability in Lindeni Mahlalela Multi Purpose Mail Form multi-purpose-mail-form allows Upload a Web Shell to a Web Server.This issue affects Multi Purpose Mail Form: from n/a through <= 1.0.2.
AnalysisAI
Unrestricted file upload in Lindeni Mahlalela's Multi Purpose Mail Form WordPress plugin (versions up to and including 1.0.2) allows remote unauthenticated attackers to upload web shells and achieve remote code execution on the underlying web server. The CVSS 10.0 score reflects the worst-case scenario: network reachable, no authentication, no user interaction, and scope-changed impact across confidentiality, integrity, and availability. No public exploit identified at time of analysis, though EPSS places this in the 82nd percentile, indicating above-average exploitation likelihood relative to other CVEs.
Technical ContextAI
The vulnerability lies in the Multi Purpose Mail Form WordPress plugin, which provides configurable contact/mail forms with file attachment functionality. CWE-434 (Unrestricted Upload of File with Dangerous Type) indicates the plugin fails to validate uploaded file extensions, MIME types, or content against an allowlist before persisting them to a web-accessible directory. In WordPress contexts, this typically manifests as a form handler that accepts attachments via POST and writes them to wp-content/uploads or a plugin-specific directory, where PHP files placed there are executed by the web server, granting the attacker the privileges of the PHP/web server user.
Affected ProductsAI
The Lindeni Mahlalela Multi Purpose Mail Form WordPress plugin (slug: multi-purpose-mail-form) is affected in all versions from unspecified initial release through and including 1.0.2. No CPE strings were provided in the input data. The advisory originates from Patchstack (audit@patchstack.com), and details should be cross-referenced against the Patchstack vulnerability database for the authoritative affected/fixed version mapping.
RemediationAI
No vendor-released patch identified at time of analysis - the affected range is documented as 'n/a through <= 1.0.2' with no confirmed fixed version. Administrators should immediately deactivate and uninstall the Multi Purpose Mail Form plugin from any WordPress site where it is in use, and audit wp-content/uploads and the plugin's upload directory for unexpected PHP, .phtml, .phar, or other executable files indicating prior compromise. As compensating controls until a fix is published, restrict execution of PHP within upload directories via .htaccess rules (Apache: 'php_flag engine off' or denying .php handlers in /uploads) or nginx location blocks, and place the site behind a WAF such as Patchstack, Wordfence, or Cloudflare with file-upload signature protection enabled - note that .htaccess controls do not help if the plugin writes to a non-standard path. Replace the plugin's functionality with a maintained alternative (e.g., Contact Form 7, WPForms, Fluent Forms) before removal to avoid breaking site functionality.
Same technique File Upload
View allShare
External POC / Exploit Code
Leaving vuln.today