Cyber Resilience

CVE-2023-4666

CriticalPublic PoC

Published: 16 October 2023

Published
16 October 2023
Modified
23 April 2025
KEV Added
Patch
CVSS Score v3.1 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.7568 98.9th percentile
Risk Priority 65 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2023-4666 is a critical-severity an unspecified weakness vulnerability in 10Web Form Maker. Its CVSS base score is 9.8 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 1.1% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

Deeper analysis

The Form Maker by 10Web WordPress plugin before version 1.15.20 contains an input-handling flaw in which signatures are not validated when they are generated on the server from user-supplied data. This affects any site running the vulnerable plugin and carries a CVSS 3.1 base score of 9.8.

Unauthenticated attackers can supply crafted input over the network to create arbitrary files on the server, resulting in remote code execution that grants full control of the affected WordPress installation.

Public references hosted on WPScan describe the issue and indicate that the vendor addressed it in release 1.15.20; site operators are therefore expected to apply the update to eliminate the flaw.

The associated EPSS score currently stands at 0.7568 with a recorded peak of 0.7573, reflecting sustained exploitation interest since disclosure.

EU & UK References

Vulnerability details

The Form Maker by 10Web WordPress plugin before 1.15.20 does not validate signatures when creating them on the server from user input, allowing unauthenticated users to create arbitrary files and lead to RCE

CWE(s)
None listed

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1505.003 Web Shell Persistence
Adversaries may backdoor web servers with web shells to establish persistent access to systems.
Why these techniques?

Unauthenticated arbitrary file upload in public-facing WordPress plugin enables exploitation of public-facing application (T1190) and deployment/execution of PHP web shells for RCE (T1100).

Affected Assets

10web
form maker
≤ 1.15.20

Mitigating Controls

No mitigating controls mapped yet. The per-CVE control annotator has not reached this CVE.

References