RCE in Infusionsoft_gravity_forms_project Infusionsoft_gravity_forms
CVE-2014-6446
The Infusionsoft Gravity Forms plugin 1.5.3 through 1.5.10 for WordPress does not properly restrict access, which allows remote attackers to upload arbitrary files and execute arbitrary PHP code via a request to utilities/code_generator.ph…
Vulnerability class: RCE (Remote Code Execution)
EPSS: 0.822 (99.2th percentile) — read the EPSS interpretation.
Affected products
- Infusionsoft_gravity_forms_project Infusionsoft_gravity_forms — versions 1.5.3, 1.5.4, 1.5.4.1
- N/a — versions n/a
Weakness classification (CWE)
Public proof-of-concept exploits
References
- cve@mitre.org (Exploit, x_refsource_MISC)
- 34925 (Exploit, exploit, x_refsource_EXPLOIT-DB)
- cve@mitre.org (x_refsource_CONFIRM, Patch)
- cve@mitre.org (Exploit, x_refsource_MISC)
- 112171 (x_refsource_OSVDB, vdb-entry)
Frequently asked questions
- What is CVE-2014-6446?
- CVE-2014-6446 is a vulnerability in Infusionsoft_gravity_forms_project Infusionsoft_gravity_forms, classified under Code Injection. Published 2014-09-26.
- Is CVE-2014-6446 known to be exploited?
- 10 public proof-of-concept repositories are indexed. Not currently listed in the CISA KEV catalog.