CVE-2024-51791 Overview
CVE-2024-51791 is an Unrestricted Upload of File with Dangerous Type vulnerability (CWE-434) affecting the Made I.T. Forms WordPress plugin (forms-by-made-it). This vulnerability allows attackers to upload a web shell to a web server, potentially leading to full remote code execution on affected WordPress installations.
Critical Impact
This vulnerability enables attackers to upload malicious files including web shells, which can result in complete server compromise, data theft, website defacement, and use of the server for further attacks.
Affected Products
- Made I.T. Forms WordPress Plugin version 2.8.0 and earlier
- WordPress installations using the forms-by-made-it plugin
Discovery Timeline
- 2024-11-11 - CVE-2024-51791 published to NVD
- 2026-04-01 - Last updated in NVD database
Technical Details for CVE-2024-51791
Vulnerability Analysis
This vulnerability stems from improper validation of uploaded file types in the Made I.T. Forms WordPress plugin. The plugin fails to adequately restrict the types of files that can be uploaded through its form functionality, allowing attackers to upload files with dangerous extensions such as .php, .phtml, or other server-executable scripts.
When a malicious file is successfully uploaded to the web server, it can be accessed directly through the web server's public directory structure. If the uploaded file contains PHP code (a web shell), the attacker can execute arbitrary commands on the server with the privileges of the web server process.
Root Cause
The root cause of CVE-2024-51791 is insufficient file type validation in the file upload handling mechanism of the Forms plugin. The application fails to implement proper server-side validation to restrict uploads to safe file types only. This includes missing or inadequate checks for:
- File extension validation against a whitelist of allowed types
- MIME type verification
- File content inspection to detect executable code
- Proper file storage configuration to prevent execution of uploaded files
Attack Vector
An attacker can exploit this vulnerability by submitting a specially crafted form submission containing a malicious PHP file disguised or presented as an allowed file type. The attack flow typically involves:
- Identifying a WordPress site using the vulnerable Forms plugin
- Locating a form that accepts file uploads
- Uploading a PHP web shell file through the form
- Determining the upload directory path
- Accessing the uploaded web shell via direct URL
- Executing arbitrary commands on the server
A proof-of-concept exploit has been published on GitHub demonstrating a 0-click RCE exploitation technique for this vulnerability. For technical details, see the GitHub PoC repository.
Detection Methods for CVE-2024-51791
Indicators of Compromise
- Unexpected PHP files in WordPress upload directories (typically wp-content/uploads/)
- Files with suspicious names or extensions in form upload directories
- Web server logs showing POST requests to form endpoints followed by GET requests to unusual file paths
- Unusual outbound connections from the web server
- New or modified cron jobs on the server
Detection Strategies
- Monitor file system changes in WordPress upload directories for newly created PHP or executable files
- Implement file integrity monitoring to detect unauthorized file additions
- Review web server access logs for suspicious patterns of form submissions followed by direct file access
- Deploy Web Application Firewall (WAF) rules to detect web shell upload attempts
- Scan uploaded files with antivirus and malware detection tools
Monitoring Recommendations
- Enable verbose logging for the Forms plugin and WordPress file operations
- Configure alerts for any PHP file creation in upload directories
- Implement real-time monitoring of web server process behavior for command execution anomalies
- Set up network monitoring to detect reverse shell connections or unusual data exfiltration
How to Mitigate CVE-2024-51791
Immediate Actions Required
- Disable or remove the Made I.T. Forms plugin (forms-by-made-it) if running version 2.8.0 or earlier
- Audit WordPress upload directories for any suspicious or unauthorized files, particularly PHP files
- Review server logs for evidence of exploitation attempts
- Consider using an alternative form plugin with proper file upload security until a patched version is available
Patch Information
At the time of this writing, users should check for updates to the Forms plugin beyond version 2.8.0 that address this vulnerability. Consult the Patchstack vulnerability report for the latest remediation guidance and patch availability.
Workarounds
- Implement server-level restrictions to prevent PHP execution in upload directories
- Configure the web server to block access to uploaded files with executable extensions
- Use a Web Application Firewall to filter malicious file upload attempts
- Restrict file upload functionality to authenticated users only if possible
# Apache .htaccess example to prevent PHP execution in uploads directory
# Place this file in wp-content/uploads/.htaccess
<FilesMatch "\.(?i:php|php3|php4|php5|phtml|phar)$">
Require all denied
</FilesMatch>
# Nginx configuration alternative (add to server block)
# location ~* /wp-content/uploads/.*\.php$ {
# deny all;
# }
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
