CVE-2019-16902

In the ARforms plugin 3.7.1 for WordPress, arf_delete_file in arformcontroller.php allows unauthenticated deletion of an arbitrary file by supplying the full pathname. > MITRE Terms of Use apply – see LICENSE‑MITRE.txt