cleantalk
Vulnerabilities and Security Researches

Snow Monkey Forms, CVE-2026-1056

CVE, Research URL

CVE-2026-1056

Home page URL

Security reports for Snow Monkey Forms

Application

Snow Monkey Forms

Published on
Jan 28, 2026
Research Description
The Snow Monkey Forms plugin for WordPress is vulnerable to arbitrary file deletion due to insufficient file path validation in the 'generate_user_dirpath' function in all versions up to, and including, 12.0.3. This makes it possible for unauthenticated attackers to delete arbitrary files on the server, which can easily lead to remote code execution when the right file is deleted (such as wp-config.php).
Affected versions
max 12.0.4.
Status
vulnerable
Previous vulnerability researches
LearnPress Export Import – WordPress extension for LearnPress (CVE-2024-32588) , Jun 07, 2024
LearnPress Export Import – WordPress extension for LearnPress (CVE-2024-31241) , Jun 07, 2024
LearnPress Export Import – WordPress extension for LearnPress (CVE-2023-30487) , Jun 07, 2024
LearnPress Export Import – WordPress extension for LearnPress (CVE-2025-60200) , Nov 10, 2025
LearnPress Export Import – WordPress extension for LearnPress (CVE-2025-49992) , Nov 10, 2025
New vulnerability
User Language Switch (CVE-2026-0745) , Apr 15, 2026
User Language Switch (CVE-2026-0735) , Apr 15, 2026
Campaign Monitor for WordPress (CVE-2026-0674) , Apr 15, 2026
WP Event Aggregator: Import Eventbrite events, Meetup events, social events and any iCal Events into WordPress (CVE-2026-1941) , Apr 15, 2026
Microtango (CVE-2026-1821) , Apr 15, 2026