Skip to main content

Gravity Forms

4 CVEs product

Monthly

CVE-2026-12997 HIGH This Week

Arbitrary file disclosure in the Gravity Forms WordPress plugin (all versions through 2.10.4) lets unauthenticated attackers read sensitive files from the web server by abusing the 'gform_uploaded_files' parameter against the process_send_resume_link endpoint. Reported by Wordfence, the flaw carries CVSS 7.5 and is exfiltrated by directing the traversal-retrieved file to an attacker-controlled email as a form notification attachment. No public exploit identified at time of analysis, and it is not listed in CISA KEV.

Path Traversal WordPress Gravity Forms
NVD
CVSS 3.1
7.5
CVE-2023-28782 HIGH This Week

Deserialization of Untrusted Data vulnerability in Rocketgenius Inc. Rated high severity (CVSS 8.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Deserialization Gravity Forms
NVD
CVSS 3.1
8.3
EPSS
0.2%
CVE-2023-2701 MEDIUM POC This Month

The Gravity Forms WordPress plugin before 2.7.5 does not escape generated URLs before outputting them in attributes, leading to Reflected Cross-Site Scripting which could be used against. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

WordPress XSS Gravity Forms
NVD WPScan
CVSS 3.1
6.1
EPSS
0.5%
CVE-2017-17780 MEDIUM POC PATCH This Month

The Clockwork SMS clockwork-test-message.php component has XSS via a crafted "to" parameter in a clockwork-test-message request to wp-admin/admin.php. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

XSS WordPress PHP Booking Calendar Sms Clockwork Sms Notfications +6
NVD
CVSS 3.1
6.1
EPSS
0.3%
CVSS 7.5
HIGH This Week

Arbitrary file disclosure in the Gravity Forms WordPress plugin (all versions through 2.10.4) lets unauthenticated attackers read sensitive files from the web server by abusing the 'gform_uploaded_files' parameter against the process_send_resume_link endpoint. Reported by Wordfence, the flaw carries CVSS 7.5 and is exfiltrated by directing the traversal-retrieved file to an attacker-controlled email as a form notification attachment. No public exploit identified at time of analysis, and it is not listed in CISA KEV.

Path Traversal WordPress Gravity Forms
NVD
EPSS 0% CVSS 8.3
HIGH This Week

Deserialization of Untrusted Data vulnerability in Rocketgenius Inc. Rated high severity (CVSS 8.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Deserialization Gravity Forms
NVD
EPSS 0% CVSS 6.1
MEDIUM POC This Month

The Gravity Forms WordPress plugin before 2.7.5 does not escape generated URLs before outputting them in attributes, leading to Reflected Cross-Site Scripting which could be used against. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

WordPress XSS Gravity Forms
NVD WPScan
EPSS 0% CVSS 6.1
MEDIUM POC PATCH This Month

The Clockwork SMS clockwork-test-message.php component has XSS via a crafted "to" parameter in a clockwork-test-message request to wp-admin/admin.php. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

XSS WordPress PHP +8
NVD

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy