WordPress Plugin Vulnerabilities

ArForms < 4.0 - Unauthenticated Arbitrary File Deletion via Traversal

Description

"arf_delete_file in arformcontroller.php allows unauthenticated users to delete an arbitrary file by supplying its full pathname"

The vendor contacted the WPScan Team stating that the issue had been resolved in version 4.0.

Affects Plugins

arforms

Fixed in version 4.0

References

CVE

CVE-2019-16902

URL

https://codecanyon.net/item/arforms-wordpress-form-builder-plugin/6023165

URL

https://packetstormsecurity.com/files/154807/

ExploitDB

47492

Classification

Type

TRAVERSAL

OWASP top 10

A1: Injection

CWE

CWE-22

Miscellaneous

Original Researcher

AHMAD ALMORABEA

Verified

WPVDB ID

cd84e6fd-54cf-4fc7-8dc4-993c8e5c3062

Timeline

Publicly Published

2019-10-11 (about 3 years ago)

Added

2020-01-21 (about 3 years ago)

Last Updated

2020-08-10 (about 2 years ago)

Our Other Services

WPScan WordPress Security Plugin