CVE-2024-9417: 
WordPress vulnerability analysis and mitigation

The Hash Form – Drag & Drop Form Builder plugin for WordPress (versions up to and including 1.1.9) contains a vulnerability identified as CVE-2024-9417. The vulnerability was discovered by Rein Daelman and disclosed on October 4, 2024. This security issue stems from a misconfigured file type validation in the 'handleUpload' function, affecting the plugin's file upload functionality (NVD, Wordfence).

The vulnerability is classified as CWE-434 (Unrestricted Upload of File with Dangerous Type) and has received a CVSS v3.1 base score of 6.1 (Medium) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N. The technical issue lies in the 'handleUpload' function where the file type validation is improperly configured, allowing for bypass of both the 'allowedExtensions' and 'unallowed_extensions' arrays (NVD).

The vulnerability enables unauthenticated attackers to upload files that bypass the intended file type restrictions on the affected site's server. This includes the potential for uploading files containing cross-site scripting payloads, which could lead to compromised website security and potential data exposure (NVD).

A patch has been released to address this vulnerability. Users should upgrade to version 1.2.0 or later of the Hash Form plugin to mitigate this security risk (WordPress Patch).