What is the CVSS score of CVE-2024-51791?

CVE-2024-51791 has a CVSS 3.1 base score of 10.0 (Critical). CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H. EPSS exploitation probability: 0.8%.

Which versions of Made I.T. Forms are affected by CVE-2024-51791?

Organizations running the Made I.T. Forms WordPress plugin (versions through 2.8.0) face critical risk: an unpatched vulnerability allows unauthenticated remote attackers to upload and execute…

Is there a public PoC exploit available for CVE-2024-51791?

Yes, a public proof-of-concept exploit is available for CVE-2024-51791. Prioritise patching immediately. EPSS: 0.8%.

How to fix or mitigate CVE-2024-51791?

Within 24 hours: Conduct asset inventory of all WordPress installations using Made I.T. Forms plugin (forms-by-made-it), document version numbers, and identify internet-facing deployments. Within 7 days: Disable the plugin on all affected systems and remove the plugin codebase; if uninstallation is not immediately feasible, implement WAF rules blocking HTTP uploads to /wp-content/plugins/forms-by-made-it/. Within 30 days: Identify and deploy a security-vetted alternative form plugin, validate workflows migrate cleanly, and fully decommission the legacy plugin.

Made I.T. Forms CVE-2024-51791

CRITICAL

Unrestricted Upload of File with Dangerous Type (CWE-434)

2024-11-11 audit@patchstack.com

File Upload

10.0

CVSS 3.1 · NVD

Severity by source

NVD PRIMARY

10.0 CRITICAL

AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Changed

Confidentiality

High

Integrity

High

Availability

High

Lifecycle Timeline

CVSS changed

Apr 23, 2026 - 15:22 NVD

10.0 (CRITICAL)

PoC Detected

Apr 01, 2026 - 16:19 vuln.today

Public exploit code

CVE Published

Nov 11, 2024 - 06:15 nvd

N/A

DescriptionCVE.org

Unrestricted Upload of File with Dangerous Type vulnerability in Made I.T. Forms forms-by-made-it allows Upload a Web Shell to a Web Server.This issue affects Forms: from n/a through <= 2.8.0.

AnalysisAI

Unrestricted file upload in the Made I.T. Forms WordPress plugin (forms-by-made-it) through version 2.8.0 enables remote unauthenticated attackers to upload arbitrary files, including PHP web shells, leading to full server compromise. With a maximum CVSS score of 10.0 and changed scope, the issue affects all installations up to and including 2.8.0; publicly available exploit code exists, though EPSS sits at 0.75% (73rd percentile) indicating moderate observed activity rather than mass exploitation.

Technical ContextAI

The Made I.T. Forms plugin (forms-by-made-it) is a WordPress form-builder extension that accepts file uploads as part of form submissions. The root cause is CWE-434 (Unrestricted Upload of File with Dangerous Type), meaning the upload handler does not adequately validate file extension, MIME type, or content against an allowlist before persisting the file inside the web-accessible WordPress uploads directory. Because WordPress executes PHP from within wp-content by default, an uploaded .php (or polyglot/double-extension) file can be requested directly and run in the web server's user context, giving attackers a foothold on the host. The CPE namespace corresponds to the made-it / forms-by-made-it WordPress.org plugin slug; no other products are listed as affected.

Affected ProductsAI

Made I.T. Forms WordPress plugin (slug: forms-by-made-it), all versions from unspecified initial release through and including 2.8.0. The Patchstack advisory (referenced via the audit@patchstack.com reporter channel, typically at patchstack.com/database/vulnerability/forms-by-made-it/) is the primary vendor-facing reference. No other products or bundled components are listed as affected in the available data.

RemediationAI

Upgrade the forms-by-made-it plugin to a version above 2.8.0 once the vendor publishes a fix; the available data does not list a confirmed fixed version, so operators should consult the Patchstack advisory for the released patched version before deploying. If a patched release is not yet available, the most effective compensating control is to deactivate and remove the Made I.T. Forms plugin entirely - this removes the vulnerable upload endpoint at the cost of any forms currently in use on the site. Less disruptive workarounds include placing the WordPress site behind a WAF with rules blocking POST requests to the plugin's upload handler and rules blocking requests to .php files inside wp-content/uploads, denying PHP execution in the uploads directory via web server configuration (an Apache .htaccess 'php_flag engine off' or equivalent nginx location block), and auditing wp-content/uploads for recently created executable files; note the WAF and execution-disable controls do not stop file write, only payload execution, so post-compromise artifacts may still need cleanup.

CVE-2024-51791 vulnerability details – vuln.today

Back

Made I.T. Forms CVE-2024-51791

Severity by source

CVSS VectorNVD

Lifecycle Timeline

DescriptionCVE.org

AnalysisAI

Technical ContextAI

Affected ProductsAI

RemediationAI

Share

External POC / Exploit Code