Share
## https://sploitus.com/exploit?id=9B15368C-7DEE-5DFD-935F-F92537ABE227
# CVE-2026-1056-POC
# Snow Monkey Forms - Unauthenticated Arbitrary File Deletion PoC

This repository contains a Proof of Concept (PoC) for a critical vulnerability in the **Snow Monkey Forms** WordPress plugin (versions _send(); // Direct execution flow to _send()
    }

    // CSRF check is only performed for other methods (e.g., 'confirm', 'complete')
    if ( ! Csrf::validate( Meta::get_token() ) ) { ... }
```

By supplying `input` as the method parameter, an attacker forces the application to execute the `_send()` function immediately, skipping the `Csrf::validate()` security control intended to prevent unauthorized actions.

### 2. Path Traversal Injection
Inside the `_send()` method, the application attempts to perform a cleanup routine for user-specific temporary directories. This routine relies on the `formid` parameter.

```php
// File: App/Rest/Route/View.php -> _send()

// 'form_id' is sourced directly from POST data via Meta class without sanitization
$user_dirpath = Directory::generate_user_dirpath( $this->setting->get( 'form_id' ), false );

Directory::do_empty( $user_dirpath, true ); // Recursively delete contents
Directory::remove( $user_dirpath );         // Delete the directory itself
```

The critical flaw lies in how `Directory::generate_user_dirpath` constructs the path:

```php
// File: App/Model/Directory.php

public static function generate_user_dirpath( $form_id, $do_create_directory = true ) {
    $saved_token = Csrf::saved_token();
    // ... (Regex check for token exists, but not for form_id) ...

    $user_dir = path_join( static::get(), $saved_token );
    
    // VULNERABILITY: $form_id is appended directly. 
    // WordPress path_join() does NOT resolve or sanitize '../' sequences.
    $user_dir = path_join( $user_dir, (string) $form_id ); 

    return $user_dir;
}
```

The `$form_id` variable is cast to a string but is **never validated to be an integer**. This allows an attacker to inject directory traversal characters (e.g., `../../../../`).

## Usage

### Prerequisites
- Python 3.x
- `requests` library (`pip install requests`)

### Command

```bash
python exploit.py -u  -f 
```