CVE-2025-10916
Published: 21 October 2025
Summary
CVE-2025-10916 is a critical-severity an unspecified weakness vulnerability. Its CVSS base score is 9.1 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 33.2th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Deeper analysis
CVE-2025-10916 is a vulnerability in the FormGent WordPress plugin versions before 1.0.4, caused by insufficient file path validation. This flaw allows arbitrary file deletion on the affected server.
Unauthenticated attackers can exploit this vulnerability remotely with low attack complexity and no user interaction or privileges required, as reflected in its CVSS v3.1 base score of 9.1 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H). Exploitation enables deletion of arbitrary files, resulting in high impacts to integrity and availability but no confidentiality loss.
WPScan advisories, referenced at https://wpscan.com/vulnerability/81c23998-1abb-495f-890a-79624a4cab9a/, indicate that updating to FormGent version 1.0.4 addresses the issue by improving file path validation.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-35137
Vulnerability details
The FormGent WordPress plugin before 1.0.4 is vulnerable to arbitrary file deletion due to insufficient file path validation. This makes it possible for unauthenticated attackers to delete arbitrary files on the server.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
T1190 for exploiting public-facing WordPress plugin; T1070.004 and T1485 directly enabled by arbitrary file deletion capability.
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly mandates validation of file path inputs to prevent arbitrary file deletion due to insufficient path validation in the plugin.
Requires timely flaw remediation by patching the FormGent plugin to version 1.0.4, which fixes the file path validation issue.
Facilitates vulnerability scanning to identify and prioritize the plugin flaw from sources like WPScan for remediation.