CVE-2019-16902 — HIGH (7.5)

Vulnerability Description

In the ARforms plugin 3.7.1 for WordPress, arf_delete_file in arformcontroller.php allows unauthenticated deletion of an arbitrary file by supplying the full pathname.

CVSS Score

7.5

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality

NONE

Integrity

HIGH

Availability

NONE

Affected Products

Vendor	Product	Versions
Reputeinfosystems	Arforms	3.7.1

Related Weaknesses (CWE)

CWE-22

References

http://almorabea.net/cve-2019-16902.txtThird Party Advisory
https://www.arformsplugin.com/documentation/changelog/Release NotesVendor Advisory
http://almorabea.net/cve-2019-16902.txtThird Party Advisory
https://www.arformsplugin.com/documentation/changelog/Release NotesVendor Advisory

FAQ

What is CVE-2019-16902?

CVE-2019-16902 is a vulnerability with a CVSS score of 7.5 (HIGH). In the ARforms plugin 3.7.1 for WordPress, arf_delete_file in arformcontroller.php allows unauthenticated deletion of an arbitrary file by supplying the full pathname.

How severe is CVE-2019-16902?

CVE-2019-16902 has been rated HIGH with a CVSS base score of 7.5/10. Review the CVSS metrics above for detailed severity breakdown.

Is there a patch for CVE-2019-16902?

Check the references section above for vendor advisories and patch information. Affected products include: Reputeinfosystems Arforms.