High severity8.8NVD Advisory· Published Mar 1, 2025· Updated Apr 15, 2026
CVE-2024-12544
CVE-2024-12544
Description
The SurveyJS: Drag & Drop WordPress Form Builder to create, style and embed multiple forms of any complexity plugin for WordPress is vulnerable to arbitrary file deletion due to a missing capability check on the callback function of the SurveyJS_DeleteFile class in all versions up to, and including, 1.12.17. This makes it possible for authenticated attackers, with Subscriber-level access and above, to delete arbitrary files on the server, which can easily lead to remote code execution when the right file is deleted (such as wp-config.php). This function is still vulnerable to Cross-Site Request Forgery as of 1.12.20.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected products
2<=1.12.20+ 1 more
- (no CPE)range: <=1.12.20
- (no CPE)range: <=1.12.17
Patches
Vulnerability mechanics
References
3News mentions
0No linked articles in our index yet.