CVE-2019-16902

HIGH

Reputeinfosystems Arforms - Path Traversal

Title source: rule

Description

In the ARforms plugin 3.7.1 for WordPress, arf_delete_file in arformcontroller.php allows unauthenticated deletion of an arbitrary file by supplying the full pathname.

Exploits (1)

exploitdb WORKING POC

by Ahmad Almorabea · rubywebappsphp

https://www.exploit-db.com/exploits/47443

View Code ZIP pw:eip

References (2)

[Third Party Advisory] http://almorabea.net/cve-2019-16902.txt

[Release Notes, Vendor Advisory] https://www.arformsplugin.com/documentation/changelog/

Scores

CVSS v3 7.5

EPSS 0.1474

EPSS Percentile 94.5%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

Details

CWE

CWE-22

Status published

Products (1)

reputeinfosystems/arforms 3.7.1

Published Sep 27, 2019

Tracked Since Feb 18, 2026