CVE-2026-1056

Name of the Vulnerable Software and Affected Versions Snow Monkey Forms versions up to and including 12.0.3

Description The Snow Monkey Forms plugin for WordPress is susceptible to arbitrary file deletion. Insufficient file path validation within the generate user dirpath function allows unauthenticated attackers to delete arbitrary files on the server. Successful deletion of specific files, such as wp-config.php, could lead to remote code execution.

Recommendations Versions prior to and including 12.0.3 should be updated to a newer, fixed version when available. As a temporary workaround, consider restricting access to the generate user dirpath function until a patch is available.