CVE-2023-4666 Form-Maker < 1.15.20 - Unauthenticated Arbitrary File Upload

2023-10-1619:39:11

WPScan

www.cve.org

form maker plugin

unauthenticated upload

rce

AI Score

9.7

Confidence

High

EPSS

0.002

Percentile

54.0%

JSON

The Form Maker by 10Web WordPress plugin before 1.15.20 does not validate signatures when creating them on the server from user input, allowing unauthenticated users to create arbitrary files and lead to RCE

CNA Affected

[
  {
    "vendor": "Unknown",
    "product": "Form Maker by 10Web",
    "versions": [
      {
        "status": "affected",
        "versionType": "custom",
        "version": "0",
        "lessThan": "1.15.20"
      }
    ],
    "defaultStatus": "unaffected",
    "collectionURL": "https://wordpress.org/plugins"
  }
]

References

wpscan.com/vulnerability/c6597e36-02d6-46b4-89db-52c160f418be