{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/products/gravity-forms-plugin--2.10.4/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[{"cvss":7.5,"id":"CVE-2026-12997"}],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["Gravity Forms plugin (\u003c 2.10.4)"],"_cs_severities":["high"],"_cs_tags":["wordpress","plugin","web-vulnerability","collection","network"],"_cs_type":"advisory","_cs_vendors":["Gravity Forms","WordPress"],"content_html":"\u003cp\u003eA critical directory traversal vulnerability, tracked as CVE-2026-12997, exists in the Gravity Forms plugin for WordPress, impacting all versions up to and including 2.10.4. This flaw allows unauthenticated attackers to read arbitrary files from the server's filesystem by manipulating the \u003ccode\u003egform_uploaded_files\u003c/code\u003e parameter. Exploitation requires the targeted WordPress form to be publicly accessible, meaning it does not enforce login for submission. Attackers can leverage the \u003ccode\u003eprocess_send_resume_link\u003c/code\u003e endpoint to supply an arbitrary email address. Upon successful exploitation, the contents of the traversed file are sent as an attachment to the attacker's specified email, enabling the exfiltration of sensitive configuration files, credentials, or other critical data. This vulnerability poses a significant risk to the confidentiality of data on affected WordPress installations.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAttacker identifies a WordPress website running the vulnerable Gravity Forms plugin (version \u0026lt;= 2.10.4).\u003c/li\u003e\n\u003cli\u003eAttacker discovers a publicly accessible Gravity Forms form on the target WordPress site that does not require user authentication for submission.\u003c/li\u003e\n\u003cli\u003eAttacker crafts an HTTP POST request targeting a Gravity Forms AJAX endpoint, specifically related to the \u003ccode\u003eprocess_send_resume_link\u003c/code\u003e action.\u003c/li\u003e\n\u003cli\u003eThe request includes a manipulated \u003ccode\u003egform_uploaded_files\u003c/code\u003e parameter containing a directory traversal payload (e.g., \u003ccode\u003e../../../../etc/passwd\u003c/code\u003e or \u003ccode\u003e..\\..\\..\\..\\windows\\system32\\win.ini\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003eThe attacker specifies an arbitrary email address in the request, intending to receive the exfiltrated file content.\u003c/li\u003e\n\u003cli\u003eThe vulnerable Gravity Forms plugin processes the request, misinterpreting the directory traversal path and reading the content of the specified arbitrary file from the server.\u003c/li\u003e\n\u003cli\u003eThe plugin generates an email notification containing the read file's content as an attachment.\u003c/li\u003e\n\u003cli\u003eThe email is sent to the attacker-controlled address, successfully exfiltrating the arbitrary server file.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2026-12997 grants unauthenticated attackers the ability to read any file on the compromised web server that the web server process has permissions to access. This can lead to the exfiltration of highly sensitive information, such as database credentials, API keys, configuration files, source code, and potentially system-level files like \u003ccode\u003e/etc/passwd\u003c/code\u003e or \u003ccode\u003eboot.ini\u003c/code\u003e. The compromise of such data can enable further attacks, including database access, privilege escalation, or full server compromise, severely impacting the confidentiality and integrity of the affected WordPress site and its underlying infrastructure.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003ePatch CVE-2026-12997 immediately by updating the Gravity Forms plugin to version 2.10.5 or newer.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule provided in this brief to your SIEM and tune for your environment to detect attempts to exploit CVE-2026-12997.\u003c/li\u003e\n\u003cli\u003eMonitor web server access logs for suspicious HTTP POST requests to Gravity Forms AJAX endpoints containing directory traversal patterns in the \u003ccode\u003egform_uploaded_files\u003c/code\u003e parameter.\u003c/li\u003e\n\u003cli\u003eReview email logs and alerts for unexpected outbound emails containing attachments or originating from the Gravity Forms plugin, particularly those not associated with legitimate form submissions.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-07-15T19:18:56Z","date_published":"2026-07-15T19:18:56Z","id":"https://feed.craftedsignal.io/briefs/2026-07-gravity-forms-directory-traversal/","summary":"Unauthenticated attackers can exploit a Directory Traversal vulnerability (CVE-2026-12997) in the Gravity Forms plugin for WordPress, affecting all versions up to and including 2.10.4, to read arbitrary files on the server and receive their contents as an email attachment, potentially exfiltrating sensitive information.","title":"Gravity Forms Directory Traversal Vulnerability (CVE-2026-12997)","url":"https://feed.craftedsignal.io/briefs/2026-07-gravity-forms-directory-traversal/"}],"language":"en","title":"CraftedSignal Threat Feed - Gravity Forms Plugin (\u003c 2.10.4)","version":"https://jsonfeed.org/version/1.1"}