CVE-2024-8756: CWE-200 Exposure of Sensitive Information to an Unauthorized Actor in ThemeCatcher Quform - WordPress Form Builder
The Quform - WordPress Form Builder plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 2.20.0 via the 'saveUploadedFile' function. This makes it possible for unauthenticated attackers to extract sensitive data, such as Personally Identifiable Information, from files uploaded by users. Files uploaded via forms created before version 2.21.0 will remain vulnerable to exposure after upgrading. To fully patch the plugin, site administrators should download any previously uploaded files, delete previously existing files and forms, and create the forms again after upgrading to version 2.21.0.
AI Analysis
Technical Summary
CVE-2024-8756 is a sensitive information exposure vulnerability (CWE-200) in the Quform - WordPress Form Builder plugin affecting all versions up to 2.20.0. The issue arises from the 'saveUploadedFile' function, which improperly restricts access to uploaded files, enabling unauthenticated attackers to extract sensitive data such as PII. The vulnerability persists for files uploaded via forms created before version 2.21.0 even after upgrading, requiring manual remediation steps to fully mitigate the risk.
Potential Impact
An unauthenticated attacker can access sensitive information contained in files uploaded through vulnerable forms, potentially leading to unauthorized disclosure of Personally Identifiable Information. The vulnerability does not affect the integrity or availability of the system but compromises confidentiality. The risk remains for previously uploaded files after upgrading, increasing exposure if remediation steps are not followed.
Mitigation Recommendations
Upgrade the Quform plugin to version 2.21.0 or later to address the vulnerability in new forms. For full remediation, site administrators must download and securely store any previously uploaded files, delete all previously existing files and forms created before the upgrade, and then recreate the forms after upgrading. This manual cleanup is necessary because files uploaded via older forms remain vulnerable despite the plugin update. No automated patch or fix is available for previously uploaded files.
CVE-2024-8756: CWE-200 Exposure of Sensitive Information to an Unauthorized Actor in ThemeCatcher Quform - WordPress Form Builder
Description
The Quform - WordPress Form Builder plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 2.20.0 via the 'saveUploadedFile' function. This makes it possible for unauthenticated attackers to extract sensitive data, such as Personally Identifiable Information, from files uploaded by users. Files uploaded via forms created before version 2.21.0 will remain vulnerable to exposure after upgrading. To fully patch the plugin, site administrators should download any previously uploaded files, delete previously existing files and forms, and create the forms again after upgrading to version 2.21.0.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
CVE-2024-8756 is a sensitive information exposure vulnerability (CWE-200) in the Quform - WordPress Form Builder plugin affecting all versions up to 2.20.0. The issue arises from the 'saveUploadedFile' function, which improperly restricts access to uploaded files, enabling unauthenticated attackers to extract sensitive data such as PII. The vulnerability persists for files uploaded via forms created before version 2.21.0 even after upgrading, requiring manual remediation steps to fully mitigate the risk.
Potential Impact
An unauthenticated attacker can access sensitive information contained in files uploaded through vulnerable forms, potentially leading to unauthorized disclosure of Personally Identifiable Information. The vulnerability does not affect the integrity or availability of the system but compromises confidentiality. The risk remains for previously uploaded files after upgrading, increasing exposure if remediation steps are not followed.
Mitigation Recommendations
Upgrade the Quform plugin to version 2.21.0 or later to address the vulnerability in new forms. For full remediation, site administrators must download and securely store any previously uploaded files, delete all previously existing files and forms created before the upgrade, and then recreate the forms after upgrading. This manual cleanup is necessary because files uploaded via older forms remain vulnerable despite the plugin update. No automated patch or fix is available for previously uploaded files.
Technical Details
- Data Version
- 5.1
- Assigner Short Name
- Wordfence
- Date Reserved
- 2024-09-12T16:15:17.805Z
- Cvss Version
- 3.1
- State
- PUBLISHED
Threat ID: 699f6b30b7ef31ef0b54f24d
Added to database: 2/25/2026, 9:35:44 PM
Last enriched: 4/9/2026, 8:31:35 AM
Last updated: 4/12/2026, 8:39:44 AM
Views: 18
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.