Vulnerabilities and security researches forhash-form hash-form

Jun 07, 2024

CVE, Research URL: CVE-2024-5084
Home page URL: Security reports for Hash Form – Drag & Drop Form Builder
Application: Hash Form – Drag & Drop Form Builder
Date: May 23, 2024
Research Description: The Hash Form – Drag & Drop Form Builder plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the 'file_upload_action' function in all versions up to, and including, 1.1.0. This makes it possible for unauthenticated attackers to upload arbitrary files on the affected site's server which may make remote code execution possible.
Affected versions: Min -, max -.
Status: vulnerable

CVE, Research URL: CVE-2024-5085
Home page URL: Security reports for Hash Form – Drag & Drop Form Builder
Application: Hash Form – Drag & Drop Form Builder
Date: May 23, 2024
Research Description: The Hash Form – Drag & Drop Form Builder plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 1.1.0 via deserialization of untrusted input in the 'process_entry' function. This makes it possible for unauthenticated attackers to inject a PHP Object. No known POP chain is present in the vulnerable software. If a POP chain is present via an additional plugin or theme installed on the target system, it could allow the attacker to delete arbitrary files, retrieve sensitive data, or execute code.
Affected versions: Min -, max -.
Status: vulnerable

Oct 06, 2024

CVE, Research URL: CVE-2024-9417
Home page URL: Security reports for Hash Form – Drag & Drop Form Builder
Application: Hash Form – Drag & Drop Form Builder
Date: Oct 05, 2024
Research Description: The Hash Form – Drag & Drop Form Builder plugin for WordPress is vulnerable to limited file uploads due to a misconfigured file type validation in the 'handleUpload' function in all versions up to, and including, 1.1.9. This makes it possible for unauthenticated attackers to upload files that are excluded from both the 'allowedExtensions' and 'unallowed_extensions' arrays on the affected site's server, including files that may contain cross-site scripting.
Affected versions: Min -, max -.
Status: vulnerable

Dec 13, 2024

CVE, Research URL: CVE-2024-12201
Home page URL: Security reports for Hash Form – Drag & Drop Form Builder
Application: Hash Form – Drag & Drop Form Builder
Date: Dec 12, 2024
Research Description: The Hash Form – Drag & Drop Form Builder plugin for WordPress is vulnerable to unauthorized access due to a missing capability check when creating form styles in all versions up to, and including, 1.2.1. This makes it possible for authenticated attackers, with Contributor-level access and above, to create new form styles.
Affected versions: Min -, max -.
Status: vulnerable

May 09, 2025

CVE, Research URL: CVE-2025-47468
Home page URL: Security reports for Hash Form – Drag & Drop Form Builder
Application: Hash Form – Drag & Drop Form Builder
Date: May 07, 2025
Research Description: Cross-Site Request Forgery (CSRF) vulnerability in hashthemes Hash Form allows Cross Site Request Forgery. This issue affects Hash Form: from n/a through 1.2.8.
Affected versions: Min -, max -.
Status: vulnerable