Forminator Forms WordPress Plugin Unauthenticated Arbitrary File Deletion Vulnerability

A vulnerability allowing arbitrary file deletion has been identified in the Forminator Forms plugin for WordPress, specifically in versions through 1.44.2. This issue arises from inadequate validation of file paths in the 'entry_delete_upload_files' function. The vulnerability allows unauthenticated users to submit forms with arbitrary file paths, which will be deleted when the form submission is removed. This deletion can be triggered by an administrator or through automatic deletion processes defined in the plugin's settings. Exploiting this vulnerability could lead to remote code execution if a critical file, such as wp-config.php, is deleted.

Impact

Exploitation of this vulnerability could result in unauthorized deletion of files, potentially leading to remote code execution if a sensitive file is removed.

Reproduction

To reproduce this vulnerability, submit a form using the Forminator plugin with a file upload field. Include a file path in the submission that points to a file to be deleted. Once the submission is processed, the specified file will be deleted, either manually by an administrator or automatically based on the plugin's deletion settings.

Remediation

Users are advised to update the Forminator Forms plugin to version 1.44.3 or later.