Stichting Laego

I did check the exploit link for the latest version, and apparently there is nothing at this address.

https://www.your-website.com/wp-content/plugins/formcraft-form-builder/file-upload/server/content/upload.php

There is no File Upload folder in there apparently with the basic version. And the name has changed from “formcraft” to “formcraft-form-builder”, which probably helps reduce the amount of malicious traffic trying at that address.

This worries me. Apparently it’s true for version 2.0 of Formcraft with all WordPress till 5.4: https://packetstormsecurity.com/files/152122/WordPress-FormCraft-2.0-CSRF-Shell-Upload.html

Does this also apply to FormCraft Basic Version 1.2.6? I currently have it installed on WordPress 6.2….

I see that currently only the Premium version has file upload as a feature, the feature that is compromised (dangerous file types can be uploaded, creating a shell). So I guess the exploit does not apply to the basic version?

It says this with the Premium features:

Accept File Uploads

Add a multi-file upload field, allow your users to upload files.