CVE-2024-12544: 
WordPress vulnerability analysis and mitigation

The SurveyJS: Drag & Drop WordPress Form Builder plugin for WordPress contains a critical vulnerability (CVE-2024-12544) discovered in versions up to and including 1.12.17. The vulnerability stems from a missing capability check in the SurveyJS_DeleteFile class callback function. This security flaw was identified and reported by Thanh Nam Tran on February 28, 2025 (Wordfence Intel).

The vulnerability is classified as a Missing Authorization issue (CWE-862) with a CVSS v3.1 base score of 8.8 (HIGH). The attack vector is network-based (AV:N) with low attack complexity (AC:L), requiring low privileges (PR:L) and no user interaction (UI:N). The scope is unchanged (S:U) with high impacts on confidentiality, integrity, and availability (C:H/I:H/A:H) (NVD).

The vulnerability allows authenticated attackers with Subscriber-level access or higher to delete arbitrary files on the server. This capability can lead to remote code execution when critical files, such as wp-config.php, are targeted. As of version 1.12.20, the function remains vulnerable to Cross-Site Request Forgery attacks (NVD).

Updates have been made to address the vulnerability as evidenced in the WordPress plugin repository (WordPress Plugin, Delete File Fix). Users are advised to update to the latest version of the plugin.