CVE-2026-1056
published 2026-01-28CVE-2026-1056: The Snow Monkey Forms plugin for WordPress is vulnerable to arbitrary file deletion due to insufficient file path validation in the 'generate_user_dirpath'…
PriorityP278critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EPSS
12.02%
95.6th percentile
The Snow Monkey Forms plugin for WordPress is vulnerable to arbitrary file deletion due to insufficient file path validation in the 'generate_user_dirpath' function in all versions up to, and including, 12.0.3. This makes it possible for unauthenticated attackers to delete arbitrary files on the server, which can easily lead to remote code execution when the right file is deleted (such as wp-config.php).
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| inc2734 | snow_monkey_forms | <= 12.0.3 | — |
| wwbn | avideo | 0 – 26.0 | — |
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
AVideo: Video Publishing Workflow Bypass via Unauthorized overrideStatus Request Parameter
ghsa·2026-04-01
CVE-2026-34738 [MEDIUM] CWE-285 AVideo: Video Publishing Workflow Bypass via Unauthorized overrideStatus Request Parameter
AVideo: Video Publishing Workflow Bypass via Unauthorized overrideStatus Request Parameter
## Summary
AVideo's video processing pipeline accepts an `overrideStatus` request parameter that allows any uploader to set a video's status to any valid state, including "active" (`a`). This bypasses the admin-controlled moderation and draft workflows. The `setStatus()` method validates the status code against a list of known values but does not verify that the caller has permission to set that particular status. As a result, any user with upload permissions can publish videos directly, circumventing content review processes.
## Details
At `objects/video.php:1055-1056`, the video object checks for an `overrideStatus` parameter in the request and applies it directly:
```php
if (!empty($_REQUEST[
GHSA
GHSA-g5p3-f4cq-94v5: The Snow Monkey Forms plugin for WordPress is vulnerable to arbitrary file deletion due to insufficient file path validation in the 'generate_user_dir
ghsa_unreviewed·2026-01-28
CVE-2026-1056 [CRITICAL] CWE-22 GHSA-g5p3-f4cq-94v5: The Snow Monkey Forms plugin for WordPress is vulnerable to arbitrary file deletion due to insufficient file path validation in the 'generate_user_dir
The Snow Monkey Forms plugin for WordPress is vulnerable to arbitrary file deletion due to insufficient file path validation in the 'generate_user_dirpath' function in all versions up to, and including, 12.0.3. This makes it possible for unauthenticated attackers to delete arbitrary files on the server, which can easily lead to remote code execution when the right file is deleted (such as wp-config.php).
No detection rules found.
No public exploits indexed.
https://plugins.trac.wordpress.org/browser/snow-monkey-forms/tags/12.0.3/App/Model/Directory.php#L58https://plugins.trac.wordpress.org/browser/snow-monkey-forms/tags/12.0.3/App/Rest/Route/View.php#L189https://plugins.trac.wordpress.org/browser/snow-monkey-forms/tags/12.0.3/snow-monkey-forms.php#L186https://plugins.trac.wordpress.org/changeset/3448278/https://www.wordfence.com/threat-intel/vulnerabilities/id/37a8642d-07f5-4b1b-8419-e30589089162?source=cve
2026-01-28
Published