PT-2026-5121 · WordPress · Snow Monkey Forms

Sarawut Poolkhet

Publicado

2026-01-28

Atualizado

2026-01-30

CVE-2026-1056

CVSS v3.1

9.8

Crítica

Vetor

AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Name of the Vulnerable Software and Affected Versions Snow Monkey Forms versions up to and including 12.0.3

Description The Snow Monkey Forms plugin for WordPress is susceptible to arbitrary file deletion. Insufficient file path validation within the generate user dirpath function allows unauthenticated attackers to delete arbitrary files on the server. Successful deletion of specific files, such as wp-config.php, could lead to remote code execution.

Recommendations Versions prior to and including 12.0.3 should be updated to a newer, fixed version when available. As a temporary workaround, consider restricting access to the generate user dirpath function until a patch is available.

Correção

RCE

Path traversal

Encontrou algum problema na descrição? Tem algo a acrescentar? Fique à vontade para nos escrever 👾

dbugs@ptsecurity.com

Enumeração de Fraquezas

CWE-22

Identificadores relacionados

CVE-2026-1056

Produtos afetados

Snow Monkey Forms

PT-2026-5121 · WordPress · Snow Monkey Forms

CVE-2026-1056

Enumeração de Fraquezas

Identificadores relacionados

Produtos afetados

Referências · 12