Description
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in Harmonic Design HDForms hdforms allows Path Traversal.This issue affects HDForms: from n/a through <= 1.6.1.
Published: 2026-01-22
Score: 8.6 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

An improper limitation on pathname handling in the HDForms plugin allows a path traversal attack that can delete arbitrary files from the server. The flaw is present in all releases up to and including version 1.6.1, giving an attacker the ability to specify a file path that bypasses the intended directory restrictions. If successful, the attacker can remove critical configuration files, scripts, or any file accessible to the web‑server process, compromising integrity and availability.

Affected Systems

The vulnerability affects Harmonic Design’s HDForms WordPress plugin for all versions from the first release through 1.6.1, including the 1.6.1 build used in many WordPress sites. The plugin is installed in the WordPress plugin directory and processes file‑path inputs from form submissions or administration actions.

Risk and Exploitability

With a CVSS score of 8.6 the flaw is considered high‑severity. The EPSS score of less than 1 % indicates a low likelihood of active exploitation at this time, and CISA does not list it in the KEV catalog. The attack appears to be remote, relying on an attacker being able to supply a crafted form or request to the plugin, and requires the plugin to run with file‑write permissions on the website’s file system.

Generated by OpenCVE AI on April 29, 2026 at 14:47 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade HDForms to the latest version (any release newer than 1.6.1) to remove the path‑traversal handling flaw.
  • If an immediate upgrade is not possible, limit the permissions of the web‑server user so that it cannot delete files in sensitive directories, and review any custom code that passes user‑supplied paths to the plugin.
  • Deploy monitoring or alerting on delete‑related file‑system events to detect unauthorized attempts and investigate any anomalous activity.

Generated by OpenCVE AI on April 29, 2026 at 14:47 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 8.6, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:L'}

 cvssV3_1

{'score': 8.6, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H'}

Wed, 28 Jan 2026 17:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 8.6, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:L'}

ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 23 Jan 2026 16:45:00 +0000

Type Values Removed Values Added
First Time appeared Wordpress
Wordpress wordpress
Vendors & Products Wordpress
Wordpress wordpress

Thu, 22 Jan 2026 23:00:00 +0000

Type Values Removed Values Added
Description Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in Harmonic Design HDForms hdforms allows Path Traversal.This issue affects HDForms: from n/a through <= 1.6.1.
Title WordPress HDForms plugin <= 1.6.1 - Arbitrary File Deletion vulnerability
Weaknesses CWE-22
References

Subscriptions

Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T16:14:33.446Z

Reserved: 2025-12-24T14:00:54.032Z

Link: CVE-2025-68912

cve-icon Vulnrichment

Updated: 2026-01-28T16:53:23.609Z

cve-icon NVD

Status : Deferred

Published: 2026-01-22T17:16:15.233

Modified: 2026-04-27T19:16:38.173

Link: CVE-2025-68912

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-29T15:00:13Z

Weaknesses