A high-severity arbitrary file deletion vulnerability in the Forminator Forms plugin for WordPress allows an authenticated attacker to delete critical system files, potentially leading to a complete denial of service.

The vulnerability exists due to insufficient file path validation within the 'entry_delete_upload_files' function. An authenticated attacker can exploit this flaw to delete arbitrary files on the server's filesystem, including critical application or system configuration files.

The assigned CVSS score of 8.8 (High) reflects the critical impact of this vulnerability. A successful exploit could result in a complete denial of service for the affected website by deleting core WordPress files, leading to significant operational disruption and potential reputational damage. This flaw represents a severe integrity and availability risk to the web application and underlying server.

Immediate Action: Administrators must immediately update the Forminator Forms plugin to the latest patched version as specified by the vendor. If an update cannot be applied, disabling the plugin is a required temporary mitigation.

Proactive Monitoring: Monitor web server and application logs for unusual file deletion activities or errors related to missing WordPress core files. File integrity monitoring (FIM) systems should be configured to alert on unauthorized changes within the web root directory.

Compensating Controls: Implement a Web Application Firewall (WAF) with rules that block directory traversal payloads and restrict access to sensitive administrative functions from untrusted sources.

Public Exploit Available: false

Given the high severity (CVSS 8.8) and the potential for complete system unavailability, this vulnerability requires immediate attention. We strongly recommend prioritizing the deployment of the vendor-supplied patch across all affected WordPress instances. Prompt remediation is critical to prevent exploitation and safeguard site integrity and availability.