CVE-2023-4596: 
WordPress vulnerability analysis and mitigation

The Forminator WordPress plugin (versions up to 1.24.6) contains an unauthenticated arbitrary file upload vulnerability (CVE-2023-4596). The vulnerability was discovered in August 2023 and affects over 400,000 active installations. The issue exists in the uploadpostimage() function where file type validation occurs after the file has been uploaded to the server (Patchstack, WPScan).

The vulnerability exists in the uploadpostimage function where there is no validation of files before they are written to the server. The function can be accessed if the site has a Forminator form with the "Create Post" template that allows unauthenticated users to create posts. The critical issue is that the wpcheckfiletype function to validate file types is only called after the file has already been uploaded using fileputcontents (Patchstack). The vulnerability has been assigned a CVSS v3.1 base score of 9.8 (CRITICAL) with vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H (NVD).

This vulnerability allows unauthenticated attackers to upload arbitrary files to the affected site's server, which could lead to remote code execution. Since the file type validation occurs after the upload, attackers can upload malicious PHP files or other harmful content to compromise the website (Patchstack).

The vulnerability was patched in Forminator version 1.25.0. Site administrators are strongly advised to update to this version or later. The patch involves moving the fileputcontents function to execute after proper file type validation has been performed (Patchstack).