CVE-2024-8756: 
WordPress vulnerability analysis and mitigation

The Quform - WordPress Form Builder plugin for WordPress contains a Sensitive Information Exposure vulnerability (CVE-2024-8756) affecting all versions up to and including 2.20.0. The vulnerability was discovered and disclosed on November 9, 2024, impacting the plugin's 'saveUploadedFile' function (NVD).

The vulnerability exists in the 'saveUploadedFile' function of the Quform WordPress plugin. It has been assigned a CVSS v3.1 base score of 5.3 (MEDIUM) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N. The vulnerability is classified as CWE-200 (Exposure of Sensitive Information to an Unauthorized Actor) (NVD).

The vulnerability allows unauthenticated attackers to extract sensitive data, including Personally Identifiable Information (PII), from files that users have uploaded through forms. Notably, files uploaded via forms created before version 2.21.0 will remain vulnerable to exposure even after upgrading (NVD).

To fully remediate this vulnerability, administrators should upgrade to version 2.21.0 or later. Additionally, the following steps are recommended: 1) Download any previously uploaded files, 2) Delete previously existing files and forms, and 3) Create the forms again after upgrading to version 2.21.0 (NVD).