CVE-2023-4666

CVSS v3 9.8 CRITICAL

9.8^/10

CVSS v3 : CRITICAL

Vector :

Exploitability : 3.9 / Impact : 5.9

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope UNCHANGED

T

he Form Maker by 10Web WordPress plugin before 1.15.20 does not validate signatures when creating them on the server from user input, allowing unauthenticated users to create arbitrary files and lead to RCE

References

Link	Resource
https://wpscan.com/vulnerability/c6597e36-02d6-46b4-89db-52c160f418be	Exploit Third Party Advisory
https://wpscan.com/vulnerability/c6597e36-02d6-46b4-89db-52c160f418be	Exploit Third Party Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:10web:form_maker:*:*:*:*:*:wordpress:*:*

History

21 Nov 2024, 08:35

Type	Values Removed	Values Added
References	~~() https://wpscan.com/vulnerability/c6597e36-02d6-46b4-89db-52c160f418be - Exploit, Third Party Advisory~~	() https://wpscan.com/vulnerability/c6597e36-02d6-46b4-89db-52c160f418be - Exploit, Third Party Advisory

Information

Published : 2023-10-16 20:15

Updated : 2025-04-23 17:16

NVD link : CVE-2023-4666

Mitre link : CVE-2023-4666

CVE.ORG link : CVE-2023-4666

JSON object : View

Products Affected

form_maker

CWE

No CWE.

{"id": "CVE-2023-4666", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Primary", "source": "[email protected]", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 9.8, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "impactScore": 5.9, "exploitabilityScore": 3.9}, {"type": "Secondary", "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 9.8, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "impactScore": 5.9, "exploitabilityScore": 3.9}]}, "published": "2023-10-16T20:15:15.927", "references": [{"url": "https://wpscan.com/vulnerability/c6597e36-02d6-46b4-89db-52c160f418be", "tags": ["Exploit", "Third Party Advisory"], "source": "[email protected]"}, {"url": "https://wpscan.com/vulnerability/c6597e36-02d6-46b4-89db-52c160f418be", "tags": ["Exploit", "Third Party Advisory"], "source": "af854a3a-2127-422b-91ae-364da2661108"}], "vulnStatus": "Modified", "descriptions": [{"lang": "en", "value": "The Form Maker by 10Web WordPress plugin before 1.15.20 does not validate signatures when creating them on the server from user input, allowing unauthenticated users to create arbitrary files and lead to RCE"}, {"lang": "es", "value": "El complemento Form Maker by 10Web WordPress anterior al 15.1.20 no valida las firmas cuando las crea en el servidor a partir de la entrada del usuario, lo que permite a usuarios no autenticados crear archivos arbitrarios y conducir a RCE"}], "lastModified": "2025-04-23T17:16:45.950", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:10web:form_maker:*:*:*:*:*:wordpress:*:*", "vulnerable": true, "matchCriteriaId": "BC0EA9F1-E6B1-4ACB-984A-2D4CAE5319A9", "versionEndExcluding": "1.15.20"}], "operator": "OR"}]}], "sourceIdentifier": "[email protected]"}