Form-Maker < 1.15.20 – Unauthenticated Arbitrary File Upload | CVE 2023-4666

Description

The plugin does not validate signatures when creating them on the server from user input, allowing unauthenticated users to create arbitrary files and lead to RCE

Proof of Concept

On a page where there is a form with a Signature field, run the following code in the web developer console while unauthenticated and submit the form

jQuery('input[id^="signature-file-wdform_"]').val('data:image/php;base64,PD9waHAgZWNobyAiSGVsbG8gV29ybGQiOw==');

This will create the /wp-content/uploads/form-maker/signatures/signature-<10 digit number generated with rand(10)>.php file containing the PHP code echo "Hello World";. An attacker could either try to guess the pseudo random part, or wait until an admin view the submissions list which will call the file via an image tag and run the code