Snow Monkey Forms WordPress Plugin Path Traversal Vulnerability Allowing Unauthenticated Arbitrary File Deletion

A vulnerability in the Snow Monkey Forms plugin for WordPress, present in all versions through 12.0.3, allows for arbitrary file deletion. This issue arises from inadequate file path validation in the 'generate_user_dirpath' function. As a result, unauthenticated attackers can delete any file on the server, potentially leading to remote code execution if critical files like wp-config.php are removed.

Impact

Exploitation of this vulnerability could result in unauthorized file deletions on the server, with the potential for remote code execution if a sensitive file is deleted.

Reproduction

The vulnerability can be reproduced by sending a request to the WordPress REST API endpoint '/snow-monkey-form/v1/view' with an invalid form ID. The request must include a 'X-SMF-FormID' header. The 'generate_user_dirpath' function will be called, where the lack of proper validation allows for path traversal, leading to arbitrary file deletions.

Remediation

Users are advised to update the Snow Monkey Forms plugin to version 12.0.4 or later.