Form-Maker < 1.15.20 - Unauthenticated Arbitrary File Upload
Description
The Form Maker by 10Web WordPress plugin before 1.15.20 does not validate signatures when creating them on the server from user input, allowing unauthenticated users to create arbitrary files and lead to RCE
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
The Form Maker by 10Web WordPress plugin before 1.15.20 allows unauthenticated attackers to create arbitrary files, leading to remote code execution.
Vulnerability
The Form Maker by 10Web WordPress plugin versions before 1.15.20 fails to validate signatures when creating them from user input on the server. This allows unauthenticated users to upload arbitrary files, bypassing intended access controls [1].
Exploitation
An unauthenticated attacker can send crafted requests to the vulnerable signature creation endpoint without needing any authentication or prior access. By providing a malicious signature, the attacker can upload arbitrary files (e.g., a PHP web shell) to the server [1].
Impact
Successful exploitation allows an attacker to execute arbitrary PHP code on the server, leading to remote code execution (RCE) with the privileges of the web server. This can result in full site compromise, including data theft, defacement, or further lateral movement [1].
Mitigation
The vulnerability is fixed in Form Maker version 1.15.20. All users should update to this version or later. No workarounds are available from the vendor. The CVE is not listed in CISA's Known Exploited Vulnerabilities catalog [1].
AI Insight generated on May 25, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2(expand)+ 1 more
- (no CPE)
- (no CPE)range: <1.15.20
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
1- wpscan.com/vulnerability/c6597e36-02d6-46b4-89db-52c160f418bemitreexploitvdb-entrytechnical-description
News mentions
0No linked articles in our index yet.