An Arbitrary File Upload vulnerability has been identified in the WordPress Form Maker by 10Web Plugin. This vulnerability allows an attacker to upload any type of file to the affected website, including malicious files that could be used to take control of the website.

The vulnerability is an Arbitrary File Upload vulnerability that occurs in the form-maker.php file. The vulnerability allows an attacker to upload arbitrary files to the affected website by exploiting a flaw in the way that the plugin handles file uploads.

Severity:

The vulnerability has a CVSS 3.1 score of 10.0, which is considered to be critical. This means that the vulnerability is highly exploitable and could have a significant impact on the affected system.

Affected Versions:

The vulnerability affects all versions of the Form Maker by 10Web Plugin prior to 1.15.20.

Impact:

An attacker who successfully exploits this vulnerability could:

  • Upload any type of file to the affected website, such as:
    • Backdoors
    • Viruses
    • Phishing scripts

These malicious files could then be executed by visitors to the website, potentially leading to a variety of security risks, such as:

  • Data theft
  • Website defacement
  • Denial of service attacks

Recommendation:

Given the critical nature of this vulnerability, immediate and unwavering action is of the essence:

  • Update Without Delay: Users of the Form Maker by 10Web Plugin are strongly advised to update to the latest available version (at least 1.15.20), or the latest available version. This update contains critical fixes to address the Arbitrary File Upload vulnerability and enhance overall plugin security.
  • Stay Informed: Watch for official updates or advisories related to the Form Maker by 10Web Plugin.