CVE-2026-48866
Deferred Deferred - Pending Action
Path Traversal in Gravity Forms

Publication date: 2026-06-01

Last updated on: 2026-06-01

Assigner: Patchstack

Description
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in Rocketgenius Inc. Gravity Forms allows Path Traversal. This issue affects Gravity Forms: from n/a through 2.10.0.1.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-01
Last Modified
2026-06-01
Generated
2026-06-21
AI Q&A
2026-06-01
EPSS Evaluated
2026-06-20
NVD
CVE-2026-48866
EUVD
EUVD-2026-33650
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
rocketgenius gravity_forms to 2.10.0.1 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-22 The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-48866 is a vulnerability in the WordPress Gravity Forms plugin (version 2.10.0.1 and earlier) that allows an attacker to perform arbitrary file deletion through a Path Traversal flaw. This means an attacker can manipulate file paths to delete critical files on the server.

The vulnerability is classified under OWASP Top 10's Broken Access Control category and has a high severity score of 9.6, indicating it is highly dangerous.

Exploitation requires a privileged user to perform an action such as clicking a malicious link or submitting a form, but does not require authentication.

Impact Analysis

If exploited, this vulnerability allows attackers to delete critical files on your website, which can break the website's functionality.

Because the vulnerability has a high CVSS score of 9.6, it poses a significant risk and could be exploited in mass campaigns targeting thousands of websites.

Detection Guidance

This vulnerability affects the WordPress Gravity Forms plugin versions 2.10.0.1 and earlier. Detection involves identifying if your system is running a vulnerable version of this plugin.

You can check the installed Gravity Forms plugin version on your WordPress site by running the following command in the WordPress root directory:

  • wp plugin list | grep gravityforms

Alternatively, you can inspect the plugin's version by checking the plugin's main PHP file header or by viewing the plugin version in the WordPress admin dashboard under Plugins.

To detect potential exploitation attempts on your network, monitor web server logs for suspicious requests that may attempt path traversal or arbitrary file deletion patterns targeting Gravity Forms endpoints.

Mitigation Strategies

The primary mitigation step is to update the Gravity Forms plugin to version 2.10.1 or later, where this vulnerability is fixed.

Until the update can be applied, you can implement the mitigation rule issued by Patchstack to block attacks targeting this vulnerability.

Additionally, restrict privileged user actions that could trigger exploitation, and monitor for suspicious activity related to file deletion attempts.

Compliance Impact

The vulnerability allows attackers to delete critical files on affected websites, which can lead to data loss, service disruption, and potential unauthorized access or modification of sensitive information.

Such impacts can compromise the confidentiality, integrity, and availability of data, which are key principles in compliance frameworks like GDPR and HIPAA.

Failure to protect against this vulnerability could result in non-compliance with these regulations due to inadequate access control and insufficient protection of sensitive data.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-48866. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart