Severity by source
AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H
Lifecycle Timeline
1DescriptionCVE.org
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in Rocketgenius Inc. Gravity Forms allows Path Traversal.
This issue affects Gravity Forms: from n/a through 2.10.0.1.
AnalysisAI
Path traversal in Rocketgenius Gravity Forms (WordPress plugin) versions up to and including 2.10.0.1 enables remote attackers to perform arbitrary file deletion on the underlying server, as catalogued in the Patchstack advisory referenced by NVD. The CVSS 9.6 score reflects a scope-changing impact reachable over the network with low complexity and no authentication, though successful exploitation requires user interaction. No public exploit has been identified at time of analysis and the issue is not present in CISA KEV.
Technical ContextAI
Gravity Forms is a widely deployed commercial WordPress plugin from Rocketgenius used for building forms, file uploads, and workflow integrations on WordPress sites. The flaw maps to CWE-22 (Improper Limitation of a Pathname to a Restricted Directory), meaning user-controlled input describing a file path is concatenated or resolved without canonicalising and constraining it to an intended base directory, allowing '../' style sequences to escape into arbitrary locations on the WordPress filesystem. The Patchstack advisory characterises the resulting primitive as arbitrary file deletion, which on a WordPress host can target plugin files, theme files, uploads, or - most damagingly - wp-config.php, whose removal forces WordPress into the installation flow and can be abused for site takeover.
RemediationAI
No vendor-released patch version was included in the supplied intelligence, so administrators should consult the Patchstack advisory at https://patchstack.com/database/wordpress/plugin/gravityforms/vulnerability/wordpress-gravity-forms-plugin-2-10-0-1-arbitrary-file-deletion-vulnerability and the official Gravity Forms changelog at gravityforms.com to identify and install the first fixed release above 2.10.0.1, then verify the plugin version in WordPress admin. Until patched, compensating controls include placing the WordPress admin area behind an IP allowlist or VPN to reduce the UI:R attack surface, deploying a WAF rule (Patchstack, Wordfence, or equivalent) that blocks path-traversal sequences in requests to Gravity Forms endpoints under /wp-admin/admin-ajax.php and /wp-admin/admin-post.php with action parameters containing 'gf_' or 'gform', and restricting filesystem permissions so the PHP process cannot delete wp-config.php or core files - accepting that overly tight permissions may break legitimate plugin updates and uploads. Backing up wp-config.php and the uploads directory out-of-band before exposure ends limits the blast radius of any successful deletion.
Same weakness CWE-22 – Path Traversal
View allSame technique Path Traversal
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-33650
GHSA-gf5h-7rm7-98v2