Form Maker by 10Web – Mobile-Friendly Drag & Drop Contact Form Builder, 8665ff6b0aa9dcafd405093d9ccfbd38e49025e7

CVE, Research URL: 8665ff6b0aa9dcafd405093d9ccfbd38e49025e7
Home page URL: Security reports for Form Maker by 10Web – Mobile-Friendly Drag & Drop Contact Form Builder
Application: Form Maker by 10Web – Mobile-Friendly Drag & Drop Contact Form Builder
Published on: Sep 07, 2023
Research Description: Form Maker by 10Web – Mobile-Friendly Drag & Drop Contact Form Builder [form-maker] < 1.15.20 Form Maker by 10Web <= 1.15.19 - Unauthenticated Arbitrary File Upload The Form Maker by 10Web plugin for WordPress is vulnerable to arbitrary file uploads due to insufficient file type validation in the 'type_signature' case of the save_db() function in versions up to, and including, 1.5.19. This makes it possible for unauthenticated attackers to upload arbitrary files, via the signature field, on the affected site's server which may make remote code execution possible.
Affected versions: max 1.15.20.
Status: vulnerable

Form Maker by 10Web &#8211; Mobile-Friendly Drag &amp; Drop Contact Form Builder, 8665ff6b0aa9dcafd405093d9ccfbd38e49025e7