Skip to main content

Gravity Forms CVE-2026-48866

| EUVDEUVD-2026-33650 CRITICAL
Path Traversal (CWE-22)
2026-06-01 audit@patchstack.com GHSA-gf5h-7rm7-98v2
9.6
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
9.6 CRITICAL
AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Changed
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

1
Analysis Generated
Jun 01, 2026 - 15:31 vuln.today

DescriptionCVE.org

Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in Rocketgenius Inc. Gravity Forms allows Path Traversal.

This issue affects Gravity Forms: from n/a through 2.10.0.1.

AnalysisAI

Path traversal in Rocketgenius Gravity Forms (WordPress plugin) versions up to and including 2.10.0.1 enables remote attackers to perform arbitrary file deletion on the underlying server, as catalogued in the Patchstack advisory referenced by NVD. The CVSS 9.6 score reflects a scope-changing impact reachable over the network with low complexity and no authentication, though successful exploitation requires user interaction. No public exploit has been identified at time of analysis and the issue is not present in CISA KEV.

Technical ContextAI

Gravity Forms is a widely deployed commercial WordPress plugin from Rocketgenius used for building forms, file uploads, and workflow integrations on WordPress sites. The flaw maps to CWE-22 (Improper Limitation of a Pathname to a Restricted Directory), meaning user-controlled input describing a file path is concatenated or resolved without canonicalising and constraining it to an intended base directory, allowing '../' style sequences to escape into arbitrary locations on the WordPress filesystem. The Patchstack advisory characterises the resulting primitive as arbitrary file deletion, which on a WordPress host can target plugin files, theme files, uploads, or - most damagingly - wp-config.php, whose removal forces WordPress into the installation flow and can be abused for site takeover.

RemediationAI

No vendor-released patch version was included in the supplied intelligence, so administrators should consult the Patchstack advisory at https://patchstack.com/database/wordpress/plugin/gravityforms/vulnerability/wordpress-gravity-forms-plugin-2-10-0-1-arbitrary-file-deletion-vulnerability and the official Gravity Forms changelog at gravityforms.com to identify and install the first fixed release above 2.10.0.1, then verify the plugin version in WordPress admin. Until patched, compensating controls include placing the WordPress admin area behind an IP allowlist or VPN to reduce the UI:R attack surface, deploying a WAF rule (Patchstack, Wordfence, or equivalent) that blocks path-traversal sequences in requests to Gravity Forms endpoints under /wp-admin/admin-ajax.php and /wp-admin/admin-post.php with action parameters containing 'gf_' or 'gform', and restricting filesystem permissions so the PHP process cannot delete wp-config.php or core files - accepting that overly tight permissions may break legitimate plugin updates and uploads. Backing up wp-config.php and the uploads directory out-of-band before exposure ends limits the blast radius of any successful deletion.

Share

CVE-2026-48866 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy