Form-Maker < 1.15.20 - Unauthenticated Arbitrary File Upload

Description The plugin does not validate signatures when creating them on the server from user input, allowing unauthenticated users to create arbitrary files and lead to RCE

PoC

On a page where there is a form with a Signature field, run the following code in the web developer console while unauthenticated and submit the form jQuery(‘input[id^=“signature-file-wdform_”]’).val(‘data:image/php;base64,PD9waHAgZWNobyAiSGVsbG8gV29ybGQiOw==’); This will create the /wp-content/uploads/form-maker/signatures/signature-<10 digit number generated with rand(10)>.php file containing the PHP code echo “Hello World”;. An attacker could either try to guess the pseudo random part, or wait until an admin view the submissions list which will call the file via an image tag and run the code