CVE-2023-4666
Published: 16 October 2023
Summary
CVE-2023-4666 is a critical-severity an unspecified weakness vulnerability in 10Web Form Maker. Its CVSS base score is 9.8 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 1.1% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
Deeper analysis
The Form Maker by 10Web WordPress plugin before version 1.15.20 contains an input-handling flaw in which signatures are not validated when they are generated on the server from user-supplied data. This affects any site running the vulnerable plugin and carries a CVSS 3.1 base score of 9.8.
Unauthenticated attackers can supply crafted input over the network to create arbitrary files on the server, resulting in remote code execution that grants full control of the affected WordPress installation.
Public references hosted on WPScan describe the issue and indicate that the vendor addressed it in release 1.15.20; site operators are therefore expected to apply the update to eliminate the flaw.
The associated EPSS score currently stands at 0.7568 with a recorded peak of 0.7573, reflecting sustained exploitation interest since disclosure.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2023-54518
Vulnerability details
The Form Maker by 10Web WordPress plugin before 1.15.20 does not validate signatures when creating them on the server from user input, allowing unauthenticated users to create arbitrary files and lead to RCE
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Unauthenticated arbitrary file upload in public-facing WordPress plugin enables exploitation of public-facing application (T1190) and deployment/execution of PHP web shells for RCE (T1100).
Affected Assets
Mitigating Controls
No mitigating controls mapped yet. The per-CVE control annotator has not reached this CVE.