Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Unauthenticated network read via a public form endpoint (AV:N/PR:N/UI:N/AC:L); confidentiality-only file disclosure (C:H) with no integrity or availability impact and no scope change.
Primary rating from Vendor (Wordfence).
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Lifecycle Timeline
2DescriptionNVD
The Gravity Forms plugin for WordPress is vulnerable to Directory Traversal in all versions up to, and including, 2.10.4 via the 'gform_uploaded_files' parameter parameter. This makes it possible for unauthenticated attackers to read the contents of arbitrary files on the server, which can contain sensitive information. Exploitation requires the targeted form to not enforce login (so publicly accessible), which allows the unauthenticated attacker to reach the process_send_resume_link endpoint and supply an arbitrary recipient email address to receive the traversal-retrieved file as a notification attachment.
Articles & Coverage 1
AnalysisAI
Arbitrary file disclosure in the Gravity Forms WordPress plugin (all versions through 2.10.4) lets unauthenticated attackers read sensitive files from the web server by abusing the 'gform_uploaded_files' parameter against the process_send_resume_link endpoint. Reported by Wordfence, the flaw carries CVSS 7.5 and is exfiltrated by directing the traversal-retrieved file to an attacker-controlled email as a form notification attachment. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires the targeted Gravity Forms form to NOT enforce login, i.e. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The CVSS 3.1 vector (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N) describes a network-reachable, low-complexity, unauthenticated confidentiality-only issue, consistent with the description of unauthenticated arbitrary file reads. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker locates a publicly accessible Gravity Forms form that does not enforce login and uses the resume-link workflow, then sends a crafted request to the process_send_resume_link endpoint with a 'gform_uploaded_files' value containing directory-traversal sequences (e.g. pointing at wp-config.php or /etc/passwd) and an attacker-controlled recipient email. … |
| Remediation | No vendor-released patch version is identified in the available data, so upgrade to the latest Gravity Forms release beyond 2.10.4 as soon as the vendor publishes a fixed build, monitoring the vendor site (https://www.gravityforms.com/) and the Wordfence advisory (https://www.wordfence.com/threat-intel/vulnerabilities/id/5c03c07f-8f41-47c2-bc95-d92a623f5f7c?source=cve) for the exact patched version. … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
Within 24 hours, identify all WordPress instances running Gravity Forms versions 2.10.4 and earlier; immediately disable email attachment functionality in affected form notifications and restrict file upload directory permissions to prevent traversal exploitation. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
More in Gravity Forms
View allThe Clockwork SMS clockwork-test-message.php component has XSS via a crafted "to" parameter in a clockwork-test-message
The Gravity Forms WordPress plugin before 2.7.5 does not escape generated URLs before outputting them in attributes, lea
Deserialization of Untrusted Data vulnerability in Rocketgenius Inc. Rated high severity (CVSS 8.3), this vulnerability
Same weakness CWE-22 – Path Traversal
View allSame technique Path Traversal
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-44761