cbcvebase.
CVE-2023-4666
published 2023-10-16

CVE-2023-4666: The Form Maker by 10Web WordPress plugin before 1.15.20 does not validate signatures when creating them on the server from user input, allowing unauthenticated…

PriorityP184critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
3.28%
86.9th percentile
The Form Maker by 10Web WordPress plugin before 1.15.20 does not validate signatures when creating them on the server from user input, allowing unauthenticated users to create arbitrary files and lead to RCE

Affected

1 ranges
VendorProductVersion rangeFixed in
10webform_maker< 1.15.201.15.20

Detection & IOCsextracted from sources · hover to see the quote

path/wp-content/plugins/form-maker/readme.txt
otherfofa-query: body="/wp-content/plugins/form-maker/"
  • Probe for vulnerable Form Maker plugin by fetching the readme.txt file; a 200 response containing 'Form Maker by 10Web' with a version string below 1.15.20 indicates a vulnerable installation.
  • Extract the plugin version from the readme.txt body using the regex pattern 'Stable tag: ([0-9.]+)' and compare against the fixed version 1.15.20.
  • The vulnerability is exploitable by unauthenticated users via missing signature validation when creating signatures server-side from user input, enabling arbitrary file upload and RCE.
  • ·The Nuclei template is classified as a passive/version-detection check only; it does not actively exploit the file upload vulnerability but confirms exposure by version comparison.
  • ·Only Form Maker by 10Web versions strictly below 1.15.20 are vulnerable; version 1.15.20 and above are patched.

CVSS provenance

nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
vulncheck9.8CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.