CVE-2023-4666
CRITICAL EXPLOITED NUCLEI10Web Form Maker < 1.15.20 - Unauthenticated Arbitrary File Write and Remote Code Execution
Title source: llmExploitation Summary
CVE-2023-4666 has been observed exploited in the wild (reported by VulnCheck KEV). A Nuclei detection template is also available.
Description
The Form Maker by 10Web WordPress plugin before 1.15.20 does not validate signatures when creating them on the server from user input, allowing unauthenticated users to create arbitrary files and lead to RCE
Nuclei Templates (1)
Form-Maker < 1.15.20 - Unauthenticated Arbitrary File Upload
CRITICALVERIFIEDby pussycat0x
FOFA:
body="/wp-content/plugins/form-maker/"
References (1)
Core 1
Core References
Exploit, Third Party Advisory exploit
vdb-entry
technical-description
https://wpscan.com/vulnerability/c6597e36-02d6-46b4-89db-52c160f418be
Scores
CVSS v3
9.8
EPSS
0.0328
EPSS Percentile
86.8%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CISA SSVC
Vulnrichment
Exploitation
poc
Automatable
yes
Technical Impact
total
Details
VulnCheck KEV
2023-09-07
Status
published
Products (1)
10web/form_maker
< 1.15.20
Published
Oct 16, 2023
Tracked Since
Feb 18, 2026