cleantalk
Vulnerabilities and Security Researches

SurveyJS: Drag & Drop WordPress Form Builder to create, style and embed multiple forms of any complexity, CVE-2024-12544

CVE, Research URL

CVE-2024-12544

Home page URL

Security reports for SurveyJS: Drag & Drop WordPress Form Builder to create, style and embed multiple forms of any complexity

Application

SurveyJS: Drag & Drop WordPress Form Builder to create, style and embed multiple forms of any complexity

Published on
Mar 01, 2025
Research Description
The SurveyJS: Drag & Drop WordPress Form Builder to create, style and embed multiple forms of any complexity plugin for WordPress is vulnerable to arbitrary file deletion due to a missing capability check on the callback function of the SurveyJS_DeleteFile class in all versions up to, and including, 1.12.17. This makes it possible for authenticated attackers, with Subscriber-level access and above, to delete arbitrary files on the server, which can easily lead to remote code execution when the right file is deleted (such as wp-config.php). This function is still vulnerable to Cross-Site Request Forgery as of 1.12.20.
Affected versions
Min -, max 1.12.18.
Status
vulnerable
Previous vulnerability researches
SurveyJS: Drag & Drop WordPress Form Builder to create, style and embed multiple forms of any complexity (CVE-2024-12544) , Mar 02, 2025
SurveyJS: Drag & Drop WordPress Form Builder to create, style and embed multiple forms of any complexity (CVE-2025-32256) , Apr 05, 2025
SurveyJS: Drag & Drop WordPress Form Builder to create, style and embed multiple forms of any complexity (CVE-2025-32167) , Apr 05, 2025
SurveyJS: Drag & Drop WordPress Form Builder to create, style and embed multiple forms of any complexity (CVE-2024-50427) , Oct 27, 2024
New vulnerability
3DPrint Lite (CVE-2025-3428) , Apr 09, 2025
3DPrint Lite (CVE-2025-3429) , Apr 09, 2025
3DPrint Lite (CVE-2025-3427) , Apr 09, 2025
3DPrint Lite (CVE-2025-3430) , Apr 09, 2025
Widgetize Pages Light (CVE-2025-32117) , Apr 09, 2025