A critical vulnerability has been identified in the FormGent WordPress plugin, assigned CVE-2025-10916 with a CVSS score of 9.1. This flaw allows an unauthenticated attacker to delete arbitrary files on the server hosting the WordPress site. Successful exploitation could lead to a complete site outage, data loss, and denial of service, posing a significant risk to business operations.

The vulnerability exists due to insufficient validation of file paths within a plugin function responsible for file management. An unauthenticated attacker can send a specially crafted HTTP request to the target website, manipulating the file path parameter to include directory traversal sequences (e.g., ../../..). This allows the attacker to navigate outside of the intended directory and specify any file on the server's file system for deletion, limited only by the web server's file permissions. Exploitation does not require any prior authentication, making any public-facing site with the vulnerable plugin a potential target.

This vulnerability is rated as critical severity with a CVSS score of 9.1. Exploitation could have a devastating impact on the business. An attacker could delete critical configuration files like wp-config.php or .htaccess, immediately rendering the entire website inaccessible and causing a denial-of-service (DoS) condition. The deletion of application or system files could lead to data corruption, extended downtime, and significant costs associated with incident response and restoring the service from backups. This could result in direct revenue loss, reputational damage, and a loss of customer trust.

Immediate Action: Immediately update The FormGent WordPress plugin to version 1.0.4 or the latest available version, which contains the patch for this vulnerability. After patching, review web server access logs and file system integrity for any signs of compromise or suspicious activity preceding the update.

Proactive Monitoring:

• Monitor web server access logs (e.g., Apache, Nginx) for unusual POST or GET requests to plugin-specific endpoints, particularly those containing directory traversal sequences (../, ..%2f).
• Implement a File Integrity Monitoring (FIM) solution to alert on unauthorized changes or deletions of critical files, such as wp-config.php, core WordPress files, and system binaries.
• Review plugin activity logs for any anomalous file deletion events.

Compensating Controls:

• If immediate patching is not feasible, disable and deactivate the FormGent plugin until it can be updated.
• Deploy a Web Application Firewall (WAF) with rules specifically designed to detect and block directory traversal attack patterns.
• Ensure the web server user account (e.g., www-data, apache) has the least privilege necessary, restricting its ability to delete files outside of the web root directory.

Public Exploit Available: false

Given the critical severity (CVSS 9.1) and the lack of authentication required for exploitation, this vulnerability poses a high and immediate risk. We strongly recommend that all instances of the FormGent WordPress plugin be updated to the patched version (1.0.4 or later) with the highest priority. Organizations should treat this as an urgent security update and apply the patch immediately to prevent potential website compromise and denial of service.