Login Sign Up

CVE-2023-4666

9.8 CRITICAL
Remote Code Execution

📋 TL;DR

This vulnerability in the Form Maker by 10Web WordPress plugin allows unauthenticated attackers to create arbitrary files on the server due to missing signature validation. This can lead to remote code execution (RCE), potentially giving attackers full control of affected WordPress sites. All WordPress installations using vulnerable versions of this plugin are affected.

💻 Affected Systems

Products:
  • Form Maker by 10Web WordPress plugin
Versions: All versions before 1.15.20
Operating Systems: All operating systems running WordPress
Default Config Vulnerable: ⚠️ Yes
Notes: Requires WordPress installation with the vulnerable plugin activated. No special configuration needed for exploitation.

📦 What is this software?

Form Maker by 10web

View all CVEs affecting Form Maker →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete server compromise allowing attackers to execute arbitrary code, steal data, install backdoors, pivot to other systems, or use the server for malicious activities like cryptocurrency mining or DDoS attacks.

🟠

Likely Case

Attackers upload web shells or malicious scripts to gain persistent access, deface websites, steal sensitive data, or install malware for further attacks.

🟢

If Mitigated

Limited impact with proper file permissions, web application firewalls, and intrusion detection systems that block or alert on suspicious file creation attempts.

🌐 Internet-Facing: HIGH
🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: LIKELY
Unauthenticated Exploit: ⚠️ Yes
Complexity: LOW

The vulnerability is straightforward to exploit as it requires no authentication and has public proof-of-concept available. Attackers can easily automate exploitation across vulnerable sites.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 1.15.20 and later

Vendor Advisory: https://wordpress.org/plugins/form-maker/#developers

Restart Required: No

Instructions:

1. Log into WordPress admin panel. 2. Navigate to Plugins → Installed Plugins. 3. Find 'Form Maker by 10Web' and click 'Update Now'. 4. Alternatively, download version 1.15.20+ from WordPress.org and manually update via FTP/SFTP.

🔧 Temporary Workarounds

Disable Form Maker Plugin

all

Temporarily deactivate the vulnerable plugin until patching is possible

wp plugin deactivate form-maker-mvc

Web Application Firewall Rule

all

Block requests attempting to exploit the signature validation vulnerability

Add WAF rule to block requests containing suspicious file creation patterns to Form Maker endpoints

🧯 If You Can't Patch

  • Implement strict file permissions on WordPress upload directories (755 for directories, 644 for files)
  • Deploy a web application firewall (WAF) with rules specifically blocking Form Maker exploitation attempts

🔍 How to Verify

Check if Vulnerable:

Check WordPress admin → Plugins → Form Maker by 10Web → Version. If version is below 1.15.20, the site is vulnerable.

Check Version:

wp plugin get form-maker-mvc --field=version

Verify Fix Applied:

Verify plugin version is 1.15.20 or higher in WordPress admin panel. Test form submission functionality to ensure plugin still works properly.

📡 Detection & Monitoring

Log Indicators:

  • Unusual file creation in wp-content/uploads/form-maker/ directory
  • POST requests to /wp-admin/admin-ajax.php with action=formmaker_submit
  • Multiple failed file creation attempts from same IP

Network Indicators:

  • HTTP requests with suspicious file extensions (.php, .phtml, .shtml) being uploaded via Form Maker endpoints
  • Unusual outbound connections from WordPress server after form submissions

SIEM Query:

source="wordpress.log" AND ("form-maker" OR "formmaker_submit") AND ("file_creation" OR "upload" OR ".php" OR ".phtml")

📊 Metadata

CVE ID: CVE-2023-4666
CVSS v3 Score: 9.8 (CRITICAL)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Published: October 16, 2023
Last Updated: April 23, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON