CVE-2025-10916: 
WordPress vulnerability analysis and mitigation

The FormGent WordPress plugin before version 1.0.4 contains a security vulnerability identified as CVE-2025-10916. The vulnerability was discovered and disclosed on September 30, 2025, by security researcher Khaled Alenazi (Nxploited). This vulnerability affects the FormGent plugin's file handling functionality and impacts WordPress installations using versions prior to 1.0.4 (WPScan).

The vulnerability is classified as an arbitrary file deletion vulnerability due to insufficient file path validation in the FormGent plugin. It has been assigned a CVSS 3.1 base score of 9.1 CRITICAL with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H. The vulnerability is tracked under CWE-73 and falls under the OWASP Top 10 category A6: Security Misconfiguration (CISA-ADP, WPScan).

The vulnerability allows unauthenticated attackers to delete arbitrary files on the server, potentially leading to severe system disruption. An attacker could delete critical files like wp-config.php, which would effectively disable the WordPress installation (WPScan).

Website administrators running the FormGent plugin should immediately update to version 1.0.4 or later, which contains the fix for this vulnerability. If immediate updating is not possible, it is recommended to disable the plugin until the update can be applied (WPScan).