The Snow Monkey Forms plugin for WordPress contains a critical vulnerability allowing arbitrary file deletion due to insufficient file path validation in the 'generate_user_dirpath' function. All versions up to and including 12.0.3 are affected. Unauthenticated attackers can exploit this to delete arbitrary files on the server, potentially leading to remote code execution when critical files like wp-config.php are deleted. The vulnerability stems from improper input validation in the file path handling mechanism.