CVE-2023-4596
Published: 30 August 2023
Summary
CVE-2023-4596 is a critical-severity Unrestricted Upload of File with Dangerous Type (CWE-434) vulnerability in Incsub Forminator. Its CVSS base score is 9.8 (Critical).
Operationally, ranked in the top 0.4% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
Deeper analysis
The Forminator plugin for WordPress is vulnerable to arbitrary file uploads because the upload_post_image() function performs file type validation only after a file has already been written to the server. The flaw affects all versions through 1.24.6 and is tracked as CWE-434.
Unauthenticated attackers can send crafted requests to upload any file type to the target site. Successful exploitation grants the ability to place executable content on the server, which can then be invoked to achieve remote code execution with the privileges of the web server process.
Public references include a WordPress Trac changeset that corrects the validation order, a detailed Wordfence advisory, and Exploit-DB entries that reproduce the upload path. Site administrators should update to a patched release of the plugin or apply equivalent server-side controls that enforce file-type checks before any write occurs.
The CVE carries a CVSS score of 9.8 and maintains an EPSS score above 0.90, indicating sustained and widespread exploitation interest.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2023-54449
Vulnerability details
The Forminator plugin for WordPress is vulnerable to arbitrary file uploads due to file type validation occurring after a file has been uploaded to the server in the upload_post_image() function in versions up to, and including, 1.24.6. This makes it…
more
possible for unauthenticated attackers to upload arbitrary files on the affected site's server which may make remote code execution possible.
- CWE(s)
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Likely Mitigating Controls AI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.
Requiring identifiable owners for portable devices reduces the attack surface for unrestricted uploads of dangerous file types via anonymous media.
Dangerous file uploads can be detonated in the chamber to determine malice before any production write or execution occurs.
Prevents unrestricted writing of arbitrary or malicious firmware by keeping hardware write-protect enabled except under tightly controlled manual procedures.
Scans files from external sources on download/open/execute, blocking unrestricted uploads of dangerous file types.