CVE-2026-12997 in Gravity Forms Plugininfo

Summary

by MITRE • 07/15/2026

The Gravity Forms plugin for WordPress is vulnerable to Directory Traversal in all versions up to, and including, 2.10.4 via the 'gform_uploaded_files' parameter parameter. This makes it possible for unauthenticated attackers to read the contents of arbitrary files on the server, which can contain sensitive information. Exploitation requires the targeted form to not enforce login (so publicly accessible), which allows the unauthenticated attacker to reach the process_send_resume_link endpoint and supply an arbitrary recipient email address to receive the traversal-retrieved file as a notification attachment.

Be aware that VulDB is the high quality source for vulnerability data.

Analysis

by VulDB Data Team • 07/15/2026

The Gravity Forms plugin for WordPress represents one of the most widely deployed form building solutions in the web application ecosystem, serving millions of websites globally. This vulnerability specifically targets versions up to and including 2.10.4, creating a critical security gap that affects numerous WordPress installations. The directory traversal flaw manifests through the 'gform_uploaded_files' parameter, which controls file handling operations within the plugin's core functionality. This parameter becomes a vector for attackers to manipulate file access paths and retrieve unauthorized data from the server filesystem.

The technical implementation of this vulnerability stems from insufficient input validation and sanitization within the plugin's file handling mechanisms. When an attacker supplies malicious input through the 'gform_uploaded_files' parameter, the system fails to properly validate or restrict file path traversal attempts. This allows attackers to craft requests that bypass normal file access controls and navigate to arbitrary locations within the server's filesystem. The vulnerability operates at the application layer, specifically within the plugin's file processing endpoint that handles form submission data and file attachments.

The operational impact of this vulnerability extends beyond simple information disclosure, creating a pathway for attackers to extract sensitive data from compromised WordPress installations. An unauthenticated attacker can exploit this weakness by targeting publicly accessible forms that do not enforce login requirements, making the attack surface significantly larger than typical authenticated vulnerabilities. The exploitation process involves reaching the 'process_send_resume_link' endpoint, which serves as the primary attack vector for triggering the directory traversal behavior. This endpoint specifically handles resume link functionality and becomes the conduit through which malicious file path requests are processed.

The privilege escalation aspect of this vulnerability occurs when attackers can leverage the publicly accessible form to bypass normal authentication requirements, transforming a potential local file inclusion issue into a remote information disclosure threat. The vulnerability's design allows attackers to specify recipient email addresses, enabling them to receive retrieved files as notification attachments, effectively creating a data exfiltration mechanism that operates through legitimate plugin notification systems. This approach obscures malicious activity within normal application behavior, making detection more challenging for security monitoring systems.

From a cybersecurity framework perspective, this vulnerability aligns with CWE-22 (Improper Limiting of a Pathname to a Restricted Directory) and represents a classic directory traversal attack pattern. The issue maps directly to several ATT&CK techniques including T1078 (Valid Accounts) through the exploitation of publicly accessible forms, and T1566 (Phishing) when attackers use retrieved sensitive information for further social engineering attacks. Organizations using Gravity Forms must consider this vulnerability as part of their broader security posture assessment, particularly in environments where form accessibility is not properly restricted.

Mitigation strategies should focus on immediate patching to versions beyond 2.10.4 where the vulnerability has been addressed. Administrators should implement strict access controls on all forms that handle sensitive data, ensuring that only authenticated users can submit information to potentially vulnerable endpoints. Network-level protections including web application firewalls and intrusion detection systems can help identify and block suspicious traversal attempts. Additionally, regular security audits of WordPress plugins should include verification of file handling mechanisms and proper input validation to prevent similar vulnerabilities from emerging in other components of the web application stack.

Responsible

Wordfence

Reservation

06/23/2026

Disclosure

07/15/2026

Moderation

accepted

CPE

ready

EPSS

0.00000

KEV

no

Activities

very low

Sources

Do you know our Splunk app?

Download it now for free!