CVE-2026-48866
Path Traversal in Gravity Forms
Publication date: 2026-06-01
Last updated on: 2026-06-01
Assigner: Patchstack
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| rocketgenius | gravity_forms | to 2.10.0.1 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-22 | The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-48866 is a vulnerability in the WordPress Gravity Forms plugin (version 2.10.0.1 and earlier) that allows an attacker to perform arbitrary file deletion through a Path Traversal flaw. This means an attacker can manipulate file paths to delete critical files on the server.
The vulnerability is classified under OWASP Top 10's Broken Access Control category and has a high severity score of 9.6, indicating it is highly dangerous.
Exploitation requires a privileged user to perform an action such as clicking a malicious link or submitting a form, but does not require authentication.
How can this vulnerability impact me? :
If exploited, this vulnerability allows attackers to delete critical files on your website, which can break the website's functionality.
Because the vulnerability has a high CVSS score of 9.6, it poses a significant risk and could be exploited in mass campaigns targeting thousands of websites.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability affects the WordPress Gravity Forms plugin versions 2.10.0.1 and earlier. Detection involves identifying if your system is running a vulnerable version of this plugin.
You can check the installed Gravity Forms plugin version on your WordPress site by running the following command in the WordPress root directory:
- wp plugin list | grep gravityforms
Alternatively, you can inspect the plugin's version by checking the plugin's main PHP file header or by viewing the plugin version in the WordPress admin dashboard under Plugins.
To detect potential exploitation attempts on your network, monitor web server logs for suspicious requests that may attempt path traversal or arbitrary file deletion patterns targeting Gravity Forms endpoints.
What immediate steps should I take to mitigate this vulnerability?
The primary mitigation step is to update the Gravity Forms plugin to version 2.10.1 or later, where this vulnerability is fixed.
Until the update can be applied, you can implement the mitigation rule issued by Patchstack to block attacks targeting this vulnerability.
Additionally, restrict privileged user actions that could trigger exploitation, and monitor for suspicious activity related to file deletion attempts.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The vulnerability allows attackers to delete critical files on affected websites, which can lead to data loss, service disruption, and potential unauthorized access or modification of sensitive information.
Such impacts can compromise the confidentiality, integrity, and availability of data, which are key principles in compliance frameworks like GDPR and HIPAA.
Failure to protect against this vulnerability could result in non-compliance with these regulations due to inadequate access control and insufficient protection of sensitive data.