cbcvebase.
CVE-2019-16902
published 2019-09-27

CVE-2019-16902: In the ARforms plugin 3.7.1 for WordPress, arf_delete_file in arformcontroller.php allows unauthenticated deletion of an arbitrary file by supplying the full…

PriorityP261high7.5CVSS 3.1
AVNACLPRNUINSUCNIHAN
EXPLOIT
EPSS
9.73%
94.9th percentile
In the ARforms plugin 3.7.1 for WordPress, arf_delete_file in arformcontroller.php allows unauthenticated deletion of an arbitrary file by supplying the full pathname.

Affected

1 ranges
VendorProductVersion rangeFixed in
reputeinfosystemsarforms

Detection & IOCsextracted from sources · hover to see the quote

path/wp-content/uploads/arforms/userfiles
path/wp-plugins/arforms
commandaction=arf_delete_file&file_name=<path>&form_id=143
filenamearformcontroller.php
  • Detect unauthenticated POST requests to wp-admin/admin-ajax.php containing the 'arf_delete_file' action parameter, which indicates exploitation of the arbitrary file deletion vulnerability.
  • Monitor for POST requests with the custom header 'X-Requested-With: XMLHttpRequest' combined with body parameter 'action=arf_delete_file' targeting WordPress AJAX endpoints.
  • Alert on HTTP requests containing path traversal sequences (e.g., '../../') in the 'file_name' POST parameter directed at the ARforms plugin endpoint.
  • Probe/reconnaissance activity can be detected by monitoring GET requests to '/wp-content/uploads/arforms/userfiles' and '/wp-plugins/arforms' paths, used by the exploit to confirm plugin presence.
  • ·The session cookie value hardcoded in the exploit script is a default placeholder and will be replaced with a valid session cookie during actual attacks; do not use it as a reliable IOC in isolation.

CVSS provenance

nvdv3.17.5HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
nvdv2.06.4MEDIUMAV:N/AC:L/Au:N/C:N/I:P/A:P
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.