The Snow Monkey Forms plugin for WordPress contains an insufficient file path validation bug in the generate_user_dirpath function. This flaw allows an unauthenticated attacker to delete arbitrary files on the server. Removing critical configuration files such as wp-config.php can lead to the full compromise of the WordPress installation, resulting in remote code execution. The weakness is a classic path traversal scenario (CWE‑22).

WordPress sites that have the Snow Monkey Forms plugin installed with a version of 12.0.3 or earlier. The vendor is inc2734, and the affected product is the Snow Monkey Forms WordPress plugin. Users should confirm whether their site runs any version up to 12.0.3. If a newer release is installed, the vulnerability has been addressed. No other vendors or products are listed.

The vulnerability scores a CVSS of 9.8, indicating a critical severity. The EPSS score is reported as < 1%, suggesting that the probability of exploitation in the near future is very low, yet the potential impact is catastrophic. The CVE description states that the path validation is insufficient, allowing arbitrary file deletion for any file the web process can write to. While the description does not explicitly detail the attack path, the code references imply that an unauthenticated HTTP request to the plugin’s REST endpoint could be used to trigger the vulnerable function. Therefore it is inferred that the attacker manipulates the file path to target critical system files via this endpoint. Because the path traversal is unconstrained, the attacker can delete any file for which the web process has write permissions. Monitoring logs for unexpected deletions and applying fixes are essential.