Public exploit available
Public proof-of-concept or exploit code exists (ExploitDB / Metasploit / Nuclei).

CVE-2023-4666Unrestricted File Upload in Form Maker

CWE-434Unrestricted File Upload5 documents5 sources
Severity
9.8CRITICALNVD
EPSS
75.7%
top 1.10%
CISA KEV
Not in KEV
Exploit
PoC available
Public exploit / PoC exists
Affected products
1
10web Form Maker
Timeline
PublishedOct 16

Description

The Form Maker by 10Web WordPress plugin before 1.15.20 does not validate signatures when creating them on the server from user input, allowing unauthenticated users to create arbitrary files and lead to RCE

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HExploitability: 3.9 | Impact: 5.9

Affected Packages1 packages

NVD10web/form_maker< 1.15.20

🔴Vulnerability Details

3
GHSA
GHSA-w72r-ch4p-xqg3: The Form Maker by 10Web WordPress plugin before 12023-10-16
CVEList
Form-Maker < 1.15.20 - Unauthenticated Arbitrary File Upload2023-10-16
VulnCheck
Form Maker by 10Web WordPress plugin Remote Code Execution Vulnerability2023

💥Exploits & PoCs

1
Nuclei
Form-Maker < 1.15.20 - Unauthenticated Arbitrary File Upload
CVE-2023-4666 — Unrestricted File Upload in Form Maker | cvebase