CVE-2019-16902

HIGH

ARforms 3.7.1 - Unauthenticated Arbitrary File Deletion via arf_delete_file

Title source: llm

Exploitation Summary

EIP tracks 1 public exploit for CVE-2019-16902. PoCs published by Ahmad Almorabea.

AI-analyzed exploit summary This Ruby script exploits a path traversal vulnerability in WordPress Arforms plugin (CVE-2019-16902) to delete arbitrary files by sending crafted HTTP requests to the vulnerable endpoint. It checks for the presence of the plugin and user files directory before executing the deletion attack.

Description

In the ARforms plugin 3.7.1 for WordPress, arf_delete_file in arformcontroller.php allows unauthenticated deletion of an arbitrary file by supplying the full pathname.

Exploits (1)

exploitdb WORKING POC

by Ahmad Almorabea · rubywebappsphp

https://www.exploit-db.com/exploits/47443

View Code ZIP pw:eip

This Ruby script exploits a path traversal vulnerability in WordPress Arforms plugin (CVE-2019-16902) to delete arbitrary files by sending crafted HTTP requests to the vulnerable endpoint. It checks for the presence of the plugin and user files directory before executing the deletion attack.

Classification

Working Poc 95%

Attack Type

Other

Complexity

Moderate

Reliability

Reliable

Target: WordPress Arforms plugin version 3.7.1

No auth needed

Prerequisites: Target must have the vulnerable Arforms plugin installed · Knowledge of file paths to delete

MITRE ATT&CK

T1006 - Direct Volume Access

devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (2)

Core 2

Core References

Release Notes, Vendor Advisory x_refsource_misc

https://www.arformsplugin.com/documentation/changelog/

Third Party Advisory x_refsource_misc

http://almorabea.net/cve-2019-16902.txt

Scores

CVSS v3 7.5

EPSS 0.1474

EPSS Percentile 94.7%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

Details

CWE

CWE-22

Status published

Products (1)

reputeinfosystems/arforms 3.7.1

Published Sep 27, 2019

Tracked Since Feb 18, 2026