The Snow Monkey Forms plugin for WordPress is vulnerable to arbitrary file deletion due to insufficient file path validation in the 'generate_user_dirpath' func…

Published:

27 januari 2026 om 23:00:00

Alert date:

28 januari 2026 om 14:04:26

Source:

nvd.nist.gov

Web Technologies

The Snow Monkey Forms plugin for WordPress contains a critical vulnerability allowing arbitrary file deletion due to insufficient file path validation in the 'generate_user_dirpath' function. All versions up to and including 12.0.3 are affected. Unauthenticated attackers can exploit this to delete arbitrary files on the server, potentially leading to remote code execution when critical files like wp-config.php are deleted. The vulnerability stems from improper input validation in the file path handling mechanism.

Technical details

Mitigation steps:

Affected products:

Snow Monkey Forms WordPress Plugin

Related links:

https://nvd.nist.gov/vuln/detail/CVE-2026-1056
https://plugins.trac.wordpress.org/browser/snow-monkey-forms/tags/12.0.3/App/Model/Directory.php#L58
https://plugins.trac.wordpress.org/browser/snow-monkey-forms/tags/12.0.3/App/Rest/Route/View.php#L189
https://plugins.trac.wordpress.org/browser/snow-monkey-forms/tags/12.0.3/snow-monkey-forms.php#L186
https://plugins.trac.wordpress.org/changeset/3448278/
https://www.wordfence.com/threat-intel/vulnerabilities/id/37a8642d-07f5-4b1b-8419-e30589089162?source=cve

Related CVE's:

CVE-2026-1056

Related threat actors:

IOC's:

This article was created with the assistance of AI technology by Perceptive.