CVE-2026-1056
Unknown
Unknown - Not Provided
Arbitrary File Deletion in Snow Monkey Forms Plugin Enables RCE
Publication date: 2026-01-28
Last updated on: 2026-01-28
Assigner: Wordfence
Description
Description
The Snow Monkey Forms plugin for WordPress is vulnerable to arbitrary file deletion due to insufficient file path validation in the 'generate_user_dirpath' function in all versions up to, and including, 12.0.3. This makes it possible for unauthenticated attackers to delete arbitrary files on the server, which can easily lead to remote code execution when the right file is deleted (such as wp-config.php).
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| snow_monkey | forms | to 12.0.3 (inc) |
Helpful Resources
Exploitability
CWE
KEV
| CWE ID | Description |
|---|---|
| CWE-22 | The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
The Snow Monkey Forms plugin for WordPress has a vulnerability in the 'generate_user_dirpath' function that allows unauthenticated attackers to delete arbitrary files on the server due to insufficient file path validation. This affects all versions up to and including 12.0.3.
How can this vulnerability impact me? :
This vulnerability can allow attackers to delete critical files on the server, such as wp-config.php, which can lead to remote code execution. This means an attacker could potentially take control of the affected server.
Ask Our AI Assistant
Need more information? Ask your question to get an AI reply (Powered by our expertise)
0/70