CVE-2023-4666: Form-Maker < 1.15.20 - Unauthenticated Arbitrary File Upload
First published: Mon Oct 16 2023(Updated: )
The Form Maker by 10Web WordPress plugin before 1.15.20 does not validate signatures when creating them on the server from user input, allowing unauthenticated users to create arbitrary files and lead to RCE
Credit: contact@wpscan.com contact@wpscan.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| 10web Form Maker | <1.15.20 | |
| <1.15.20 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Frequently Asked Questions
What is the vulnerability ID of this issue?
The vulnerability ID of this issue is CVE-2023-4666.
What is the severity of CVE-2023-4666?
CVE-2023-4666 has a severity level of critical with a score of 9.8.
What does the Form Maker by 10Web WordPress plugin vulnerability allow?
The vulnerability in the Form Maker plugin allows unauthenticated users to create arbitrary files and potentially lead to remote code execution (RCE).
Which versions of the Form Maker by 10Web WordPress plugin are affected by CVE-2023-4666?
Versions up to and excluding 1.15.20 of the Form Maker plugin for WordPress are affected by CVE-2023-4666.
Is there a fix for CVE-2023-4666?
Yes, updating the Form Maker plugin to version 1.15.20 or newer will fix the vulnerability.
- collector/nvd-index
- agent/author
- agent/type
- collector/mitre-cve
- source/MITRE
- agent/weakness
- agent/references
- agent/severity
- agent/title
- agent/description
- agent/first-publish-date
- collector/nvd-api
- source/NVD
- agent/software-canonical-lookup
- agent/last-modified-date
- agent/softwarecombine
- agent/tags
- agent/event
- vendor/10web
- canonical/10web form maker