WordPress · Arforms · CVE-2019-16902
**Name of the Vulnerable Software and Affected Versions**
ARforms plugin version 3.7.1 for WordPress
**Description**
The issue allows unauthenticated deletion of an arbitrary file by supplying the full pathname through the `arf delete file` function in `arformcontroller.php`.
**Recommendations**
For ARforms plugin version 3.7.1, consider disabling the `arf delete file` function in `arformcontroller.php` to prevent unauthenticated file deletion until a patch is available.