Attack Vectors

Critical (CVSS 9.1) vulnerability CVE-2026-22460 affects the WordPress plugin FormGent – Next-Gen AI Form Builder for WordPress with Multi-Step, Quizzes, Payments & More (slug: formgent) in versions <= 1.4.2. Because the issue is unauthenticated, an external attacker can target a site directly over the internet without needing a valid user account.

Any organization running the vulnerable plugin on a public-facing WordPress site should treat this as an urgent business risk. Attackers typically focus on widely used plugins because a single exploit technique can be reused across many targets, including marketing sites, campaign landing pages, and high-traffic brand properties.

Security Weakness

According to Wordfence, the FormGent plugin is vulnerable to arbitrary file deletion due to insufficient file path validation in a function in all versions up to and including 1.4.2. In practical terms, this can allow an attacker to delete files on the server that the WordPress process can access.

This issue is especially dangerous because deleting the “right” file can destabilize the site or open a path to deeper compromise. Wordfence notes that this can “easily lead to remote code execution when the right file is deleted (such as wp-config.php).”

Remediation status: there is no known patch available at this time. As a result, mitigation decisions should be driven by your organization’s risk tolerance and exposure (e.g., whether the site processes payments, captures leads, or supports brand-critical campaigns). The safest option may be to uninstall the affected plugin and replace it until a verified fix is released.

Technical or Business Impacts

Operational disruption (availability): Arbitrary file deletion can cause immediate site outages—impacting campaign performance, lead capture, ecommerce revenue, and brand credibility. Even brief downtime can be costly during time-sensitive launches, PR events, or paid media pushes.

Risk of site takeover: If the attack chain results in remote code execution (as highlighted by the advisory’s example of deleting wp-config.php), attackers may gain the ability to run malicious code on the server. That can lead to persistent backdoors, SEO spam, redirects to scam pages, or the distribution of malware to your visitors.

Compliance and legal exposure: If your WordPress instance stores personal data (lead forms, quizzes, payment-related data, or customer identifiers), a compromise can create reporting obligations and regulatory scrutiny, depending on your jurisdiction and contractual commitments. Marketing and compliance teams should be aligned on incident response expectations.

Practical mitigations while no patch exists: Consider uninstalling FormGent (recommended for high-risk environments), restoring from known-good backups if suspicious activity is suspected, limiting exposure via a web application firewall (WAF), tightening file permissions, and increasing monitoring (file integrity, admin account changes, and unexpected outbound connections). Also review whether any marketing forms/quizzes/payments powered by this plugin can be moved to a safer alternative in the short term to reduce business interruption risk.

Similar Attacks

High-impact web vulnerabilities are commonly exploited at scale because they provide a fast path to disruption or takeover. Examples of broadly comparable real-world incidents include:

WordPress File Manager plugin zero-day exploited in the wild (2020) — widely targeted because it enabled rapid compromise of vulnerable sites.

Apache Struts CVE-2017-5638 (CISA alert) — a well-known example of a critical, internet-exposed flaw that was heavily exploited and associated with severe business impact.

Drupal “Drupalgeddon2” (SA-CORE-2018-002) CISA alert — demonstrates how unauthenticated web flaws can quickly lead to mass exploitation and site takeovers.