CVE-2024-6312 is a path traversal vulnerability classified under CWE-22 found in the Funnelforms Free plugin for WordPress, specifically affecting all versions up to 3.7.3.2. The vulnerability arises from improper validation of file paths in the 'af2DeleteFontFile' function, which is responsible for deleting font files. Due to insufficient checks, an attacker can craft malicious input to traverse directories and delete arbitrary files on the server, including critical WordPress files such as wp-config.php. The deletion of wp-config.php can disrupt site configuration, potentially leading to site downtime or enabling further exploitation such as remote code execution or full site takeover. According to the CVSS 3.1 vector (AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:H), the attack can be performed remotely over the network with low attack complexity but requires high privileges (authenticated user with elevated rights). No user interaction is needed, and the impact affects integrity and availability but not confidentiality. Although no public exploits have been reported yet, the vulnerability is significant due to the widespread use of WordPress and the popularity of the Funnelforms plugin. The lack of patch links suggests that a fix may not yet be available, increasing the urgency for mitigation.

The vulnerability allows attackers to delete arbitrary files on the web server hosting the WordPress site, which can severely impact the integrity and availability of the affected system. Deletion of critical files like wp-config.php can cause site outages, loss of configuration, and enable attackers to gain further control over the site, potentially leading to remote code execution and full site compromise. Organizations relying on the affected plugin risk service disruption, data loss, and reputational damage. Since WordPress powers a significant portion of websites globally, the impact can be widespread, especially for sites that do not have robust access controls or monitoring. The requirement for high privileges limits exploitation to users with some authenticated access, but insider threats or compromised accounts could exploit this vulnerability to escalate damage. The absence of known exploits in the wild currently reduces immediate risk but does not eliminate the threat, especially as attackers may develop exploits once the vulnerability is public.

Organizations should immediately audit their WordPress installations to identify the presence of the Funnelforms Free plugin and its version. Until an official patch is released, administrators should consider disabling or uninstalling the plugin to eliminate the attack surface. If removal is not feasible, restrict access to the plugin’s administrative functions to trusted users only and implement strict file system permissions to prevent unauthorized file deletions. Web application firewalls (WAFs) can be configured to detect and block suspicious requests attempting path traversal patterns targeting the 'af2DeleteFontFile' function. Monitoring file integrity, especially for critical files like wp-config.php, can provide early detection of exploitation attempts. Additionally, enforce strong authentication and limit user privileges to reduce the risk posed by authenticated attackers. Stay alert for official patches or updates from the vendor and apply them promptly once available.