A critical vulnerability exists in the Snow Monkey Forms plugin for WordPress, identified as CVE-2026-1056. This flaw allows an unauthenticated attacker to delete arbitrary files from the web server, which can lead to a complete site takeover and remote code execution. Due to the ease of exploitation and severe impact, immediate remediation is required to prevent compromise.

The vulnerability is a path traversal flaw within the generate_user_dirpath function of the plugin. The function fails to properly sanitize user-supplied input, allowing an attacker to craft a malicious file path using sequences like ../../. An unauthenticated attacker can send a specially crafted request to the server, causing the application to delete a file anywhere on the filesystem that the web server process has permissions to modify. A common attack scenario involves deleting the wp-config.php file, which would trigger the WordPress re-installation process, allowing the attacker to reconfigure the site, gain administrative access, and achieve remote code execution.

This vulnerability is rated as critical severity with a CVSS score of 9.8. Successful exploitation could lead to a complete compromise of the web server and its data. Potential consequences include a total loss of website availability (Denial of Service), theft of sensitive data from the database, and the server being used to host malware or attack other systems. Such an incident would result in significant reputational damage, financial loss from recovery efforts, and potential regulatory penalties.

Immediate Action: Immediately update the Snow Monkey Forms plugin to the latest version available (newer than 12.0.3), which contains a patch for this vulnerability. After patching, review web server and application logs for any signs of past exploitation attempts.

Proactive Monitoring: Monitor web server access logs for HTTP requests containing path traversal sequences (e.g., ../, ..%2f) targeted at the Snow Monkey Forms plugin endpoints. Implement a File Integrity Monitoring (FIM) solution to alert on unauthorized deletions or modifications of critical files like wp-config.php, .htaccess, and core application files.

Compensating Controls: If patching is not immediately possible, consider the following measures:

• Deploy a Web Application Firewall (WAF) with strict rules to detect and block path traversal attack patterns.
• Temporarily disable the Snow Monkey Forms plugin until it can be safely updated.
• Enforce strict file permissions on the web server to limit the web server user's ability to delete files outside of its intended directories.
• Ensure regular, tested backups of the website and server are available for rapid recovery.

Public Exploit Available: false

This vulnerability presents a critical and immediate threat to any organization using the affected plugin. The CVSS score of 9.8 reflects the ease of exploitation by unauthenticated attackers and the potential for complete system compromise. We strongly recommend that all affected systems be patched immediately without delay. Although this CVE is not currently on the CISA KEV list, vulnerabilities with these characteristics are prime candidates for addition once widespread exploitation is observed. Proactive patching is the most effective defense.