Skip to main content

Gravity Forms EUVDEUVD-2026-44761

| CVE-2026-12997 HIGH
Path Traversal (CWE-22)
2026-07-15 Wordfence
7.5
CVSS 3.1 · NVD
Share

Severity by source

Vendor (Wordfence) PRIMARY
HIGH
qualitative
NVD
7.5 HIGH
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
vuln.today AI
7.5 HIGH

Unauthenticated network read via a public form endpoint (AV:N/PR:N/UI:N/AC:L); confidentiality-only file disclosure (C:H) with no integrity or availability impact and no scope change.

3.1 AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
4.0 AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N

Primary rating from Vendor (Wordfence).

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
None
Availability
None

Lifecycle Timeline

2
Analysis Generated
Jul 15, 2026 - 19:00 vuln.today
CVE Published
Jul 15, 2026 - 18:34 cve.org
HIGH 7.5

DescriptionNVD

The Gravity Forms plugin for WordPress is vulnerable to Directory Traversal in all versions up to, and including, 2.10.4 via the 'gform_uploaded_files' parameter parameter. This makes it possible for unauthenticated attackers to read the contents of arbitrary files on the server, which can contain sensitive information. Exploitation requires the targeted form to not enforce login (so publicly accessible), which allows the unauthenticated attacker to reach the process_send_resume_link endpoint and supply an arbitrary recipient email address to receive the traversal-retrieved file as a notification attachment.

AnalysisAI

Arbitrary file disclosure in the Gravity Forms WordPress plugin (all versions through 2.10.4) lets unauthenticated attackers read sensitive files from the web server by abusing the 'gform_uploaded_files' parameter against the process_send_resume_link endpoint. Reported by Wordfence, the flaw carries CVSS 7.5 and is exfiltrated by directing the traversal-retrieved file to an attacker-controlled email as a form notification attachment. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Find public login-free Gravity Forms form
Delivery
Reach process_send_resume_link endpoint
Exploit
Inject traversal in gform_uploaded_files
Execution
Set attacker recipient email
Persist
Server emails target file as attachment
Impact
Read exfiltrated sensitive file

Vulnerability AssessmentAI

Exploitation Exploitation requires the targeted Gravity Forms form to NOT enforce login, i.e. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 3.1 vector (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N) describes a network-reachable, low-complexity, unauthenticated confidentiality-only issue, consistent with the description of unauthenticated arbitrary file reads. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker locates a publicly accessible Gravity Forms form that does not enforce login and uses the resume-link workflow, then sends a crafted request to the process_send_resume_link endpoint with a 'gform_uploaded_files' value containing directory-traversal sequences (e.g. pointing at wp-config.php or /etc/passwd) and an attacker-controlled recipient email. …
Remediation No vendor-released patch version is identified in the available data, so upgrade to the latest Gravity Forms release beyond 2.10.4 as soon as the vendor publishes a fixed build, monitoring the vendor site (https://www.gravityforms.com/) and the Wordfence advisory (https://www.wordfence.com/threat-intel/vulnerabilities/id/5c03c07f-8f41-47c2-bc95-d92a623f5f7c?source=cve) for the exact patched version. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours, identify all WordPress instances running Gravity Forms versions 2.10.4 and earlier; immediately disable email attachment functionality in affected form notifications and restrict file upload directory permissions to prevent traversal exploitation. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

EUVD-2026-44761 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy