Introduction
A critical path traversal vulnerability in Gravity Forms, one of the most widely deployed premium WordPress form plugins, allows unauthenticated attackers to delete arbitrary files on the server when a privileged user is tricked into triggering a crafted request. With over 600,000 live websites running Gravity Forms and Patchstack warning that mass exploitation campaigns are expected, this is a vulnerability that WordPress administrators and security teams need to address immediately.
Gravity Forms is a premium form builder plugin for WordPress developed by Rocketgenius Inc. It powers form functionality on approximately 622,685 to 869,181 live websites according to WebTechSurvey and BuiltWith, holding roughly 7.53% market share in the WordPress plugins category. As a paid plugin (starting at $59/year), it occupies a significant position in the WordPress ecosystem alongside competitors like WPForms and Formidable Forms.
Technical Information
Root Cause: CWE-22 Path Traversal
CVE-2026-48866 is classified under CWE-22 (Improper Limitation of a Pathname to a Restricted Directory). The core issue is that Gravity Forms accepts a filename or filepath parameter from user input and passes it to a file deletion function (such as PHP's unlink()) without adequately validating that the resolved path remains within the intended directory. By injecting directory traversal sequences (e.g., ../), an attacker can navigate out of the plugin's intended file scope and target any file on the server that the web server process has permission to delete.
Patchstack classifies this specifically as an Arbitrary File Deletion vulnerability and maps it to OWASP A1: Broken Access Control.
Attack Flow
The exploitation of CVE-2026-48866 follows a pattern consistent with other WordPress arbitrary file deletion vulnerabilities:
-
Reconnaissance: The attacker identifies a target running Gravity Forms version 2.10.0.1 or earlier. Gravity Forms fingerprinting is straightforward given its widespread deployment.
-
Payload Construction: The attacker crafts an HTTP request containing a path traversal payload in a file deletion parameter. The payload uses
../sequences to traverse out of the plugin's intended directory and reference a target file such aswp-config.php. -
Delivery via Social Engineering: Because the vulnerability requires user interaction, the attacker must induce a privileged WordPress user (typically an administrator) to trigger the malicious request. This can be accomplished by sending a crafted link via email, embedding the trigger in a page the admin is likely to visit, or manipulating a form submission that the admin processes.
-
File Deletion Execution: When the privileged user triggers the request, the server processes the traversal sequence and deletes the targeted file.
-
Post-Exploitation: The consequences depend on which file is deleted:
- Deleting
wp-config.phpresets the WordPress installation, potentially allowing the attacker to reinstall WordPress with attacker-controlled database credentials and achieve full site takeover. - Deleting
.htaccessfiles can disable security rules and expose directory listings. - Deleting core PHP files from plugins or themes can cause cascading site failures.
- Deleting
Attack Parameters
| Parameter | Detail |
|---|---|
| CVE ID | CVE-2026-48866 |
| CVSS Score | 9.6 (Patchstack assessment) |
| CWE | CWE-22 (Path Traversal) |
| Attack Vector | Unauthenticated (no login required) |
| User Interaction | Required (privileged user must click link, visit crafted page, or submit form) |
| OWASP Classification | A1: Broken Access Control |
| Vulnerable Versions | Gravity Forms through 2.10.0.1 |
| Patched Version | 2.10.1 |
| Discovery Date | 29 April 2026 (reported by researcher "daroo") |
| Public Disclosure | 1 June 2026 |
What Remains Unknown
The specific vulnerable code path within Gravity Forms, the exact HTTP endpoint and parameters involved, and the precise CVSS vector string have not been publicly disclosed. NIST has not yet provided its independent CVSS assessment, listing the score as "N/A" on the NVD page. No public proof of concept exploit code was available as of the disclosure date.
Affected Systems and Versions
All versions of Gravity Forms from the earliest available release through version 2.10.0.1 are affected. The vulnerability is resolved in version 2.10.1, released on 30 April 2026.
Given that Gravity Forms is a premium plugin not distributed through the WordPress.org plugin repository, automatic updates depend on the site's license status and update configuration. Sites with expired licenses or those that have disabled automatic updates may remain vulnerable longer than typical WordPress plugin deployments.
The affected install base is substantial:
| Source | Live Websites |
|---|---|
| WebTechSurvey | 622,685 |
| BuiltWith | 869,181 |
| BuiltWith (including historical) | 2,520,465 |
Vendor Security History
Gravity Forms has a notable pattern of recurring security vulnerabilities, particularly in file handling and input validation:
| Vulnerability | CVE | CVSS | Affected Versions | Type |
|---|---|---|---|---|
| Arbitrary File Deletion | CVE-2026-48866 | 9.6 | Through 2.10.0.1 | Path Traversal |
| Arbitrary File Upload | CVE-2025-12352 | 9.8 | Through 2.9.20 | File Upload |
| Stored XSS | CVE-2026-5111 | N/A | Through 2.10.0 | Cross-Site Scripting |
| Stored XSS | CVE-2026-5110 | N/A | Through 2.10.0 | Cross-Site Scripting |
| Stored XSS | CVE-2026-5109 | N/A | Through 2.10.0 | Cross-Site Scripting |
| Stored XSS (Card Type) | CVE-2026-4394 | N/A | N/A | Cross-Site Scripting |
| Stored XSS | CVE-2026-3492 | N/A | Through 2.9.28.1 | Cross-Site Scripting |
| Arbitrary File Upload | N/A | N/A | Through 1.8.19 | File Upload |
| Authenticated Blind SQL Injection | N/A | N/A | 1.8 through 1.9.3.5 | SQL Injection |
| Cross-Site Scripting | N/A | N/A | Through 1.9.6 | Cross-Site Scripting |
Several patterns stand out. File handling vulnerabilities (arbitrary file upload and now arbitrary file deletion) have recurred across multiple major version ranges, from version 1.8.19 through the current 2.10.x line. The 2015 arbitrary file upload vulnerability in version 1.8.19 had public exploit code published on Exploit-DB. Stored XSS vulnerabilities have appeared repeatedly, with at least five distinct CVEs in the 2.9.x and 2.10.x ranges alone.
Patchstack notes that Gravity Forms has no formal Vulnerability Disclosure Program (VDP), which may limit structured security researcher engagement and slow the intake of vulnerability reports.
To the vendor's credit, the response to CVE-2026-48866 specifically was fast: the patch was released within approximately one day of the initial report. Public disclosure was then delayed by roughly one month, giving Patchstack customers time to deploy the fix before details became widely available.
References
- NVD: CVE-2026-48866
- Patchstack Advisory: Arbitrary File Deletion in Gravity Forms
- Patchstack: Gravity Forms Vulnerability History
- Gravity Forms Changelog
- Gravity Forms 2.10.1 Release Announcement
- WPScan: Gravity Forms Plugin Vulnerabilities
- ZeroPath: Gravity Forms CVE-2025-12352 Summary
- Wordfence: 200,000 WordPress Sites Affected by Arbitrary File Deletion in Perfmatters
- Wordfence: Gravity Forms Unauthenticated Arbitrary File Upload
- Exploit-DB: Gravity Forms 1.8.19 Arbitrary File Upload
- WebTechSurvey: Gravity Forms Usage Statistics
- BuiltWith: Gravity Forms Usage Statistics
- Proofpoint: 2026 Vulnerability Exploitation in the Wild



