CVE-2019-16902
published 2019-09-27CVE-2019-16902: In the ARforms plugin 3.7.1 for WordPress, arf_delete_file in arformcontroller.php allows unauthenticated deletion of an arbitrary file by supplying the full…
PriorityP261high7.5CVSS 3.1
AVNACLPRNUINSUCNIHAN
EXPLOIT
EPSS
9.73%
94.9th percentile
In the ARforms plugin 3.7.1 for WordPress, arf_delete_file in arformcontroller.php allows unauthenticated deletion of an arbitrary file by supplying the full pathname.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| reputeinfosystems | arforms | — | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Detect unauthenticated POST requests to wp-admin/admin-ajax.php containing the 'arf_delete_file' action parameter, which indicates exploitation of the arbitrary file deletion vulnerability. ↗
- →Monitor for POST requests with the custom header 'X-Requested-With: XMLHttpRequest' combined with body parameter 'action=arf_delete_file' targeting WordPress AJAX endpoints. ↗
- →Alert on HTTP requests containing path traversal sequences (e.g., '../../') in the 'file_name' POST parameter directed at the ARforms plugin endpoint. ↗
- →Probe/reconnaissance activity can be detected by monitoring GET requests to '/wp-content/uploads/arforms/userfiles' and '/wp-plugins/arforms' paths, used by the exploit to confirm plugin presence. ↗
- ·The session cookie value hardcoded in the exploit script is a default placeholder and will be replaced with a valid session cookie during actual attacks; do not use it as a reliable IOC in isolation. ↗
CVSS provenance
nvdv3.17.5HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
nvdv2.06.4MEDIUMAV:N/AC:L/Au:N/C:N/I:P/A:P
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
Exploit-DB
WordPress Plugin Arforms 3.7.1 - Directory Traversal
exploitdb·2019-10-11·CVSS 7.5
CVE-2019-16902 [HIGH] WordPress Plugin Arforms 3.7.1 - Directory Traversal
WordPress Plugin Arforms 3.7.1 - Directory Traversal
---
# Exploit Title: WordPress Arforms 3.7.1 - Directory Traversal
# Date: 2019-09-27
# Exploit Author: Ahmad Almorabea
# Updated version of the exploit can be found always at : http://almorabea.net/cve-2019-16902.txt
# Software Link: https://www.arformsplugin.com/documentation/changelog/
# Version: 3.7.1
# CVE ID: CVE-2019-16902
#**************Start Notes**************
# You can run the script by putting the script name and then the URL and the URL should have directory the Wordpress folders.
# Example : exploit.rb www.test.com, and the site should have the Wordpress folders in it such www.test.com/wp-contnet.
# Pay attention to the 3 numbers at the beginning maybe you need to change it in other types like in this script is 143.
# Bu
Exploit-DB
WordPress Plugin ARforms 3.7.1 - Arbitrary File Deletion
exploitdb·2019-09-30·CVSS 7.5
CVE-2019-16902 [HIGH] WordPress Plugin ARforms 3.7.1 - Arbitrary File Deletion
WordPress Plugin ARforms 3.7.1 - Arbitrary File Deletion
---
#!/usr/bin/env ruby
# Exploit Title: WordPress Arforms - 3.7.1
# CVE ID: CVE-2019-16902
# Date: 2019-09-27
# Exploit Author: Ahmad Almorabea
# Author Website: http://almorabea.net
# Updated version of the exploit can be found always at : http://almorabea.net/cve-2019-16902.txt
# Software Link: https://www.arformsplugin.com/documentation/changelog/
# Version: 3.7.1
#**************Start Notes**************
# You can run the script by putting the script name and then the URL and the URL should have directory the Wordpress folders.
# Example : exploit.rb www.test.com, and the site should have the Wordpress folders in it such www.test.com/wp-contnet.
# Pay attention to the 3 numbers at the beginning maybe you need to change it in
No writeups or analysis indexed.
2019-09-27
Published