Arbitrary File Deletion in ARforms Plugin for WordPress by ALMORA
CVE-2019-16902

7.5HIGH

Key Information:

Vendor: Wordpress
Status: Arforms
Vendor: CVE Published:; 27 September 2019

Summary

The ARforms plugin version 3.7.1 for WordPress contains a severe vulnerability that allows unauthenticated users to delete arbitrary files from the server. This flaw is accessible through the 'arf_delete_file' function in the 'arformcontroller.php' file when the full pathname of the target file is provided. As a result, attackers can exploit this vulnerability to disrupt the website's operations or manipulate sensitive data stored on the server.

References

https://www.arformsplugin.com/documentation/changelog/

x_refsource_MISC

http://almorabea.net/cve-2019-16902.txt

x_refsource_MISC

CVSS V3.1

Score:

7.5

Severity:

HIGH

Confidentiality:

None

Integrity:

High

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
Sep 27, 2019
Vulnerability Reserved
Sep 25, 2019