<?xml version="1.0" encoding="utf-8" standalone="yes"?><rss version="2.0" xmlns:atom="http://www.w3.org/2005/Atom" xmlns:content="http://purl.org/rss/1.0/modules/content/"><channel><title>Gravity Forms Plugin (&lt; 2.10.4) - CraftedSignal Threat Feed</title><link>https://feed.craftedsignal.io/products/gravity-forms-plugin--2.10.4/</link><description>Trending threats, MITRE ATT&amp;CK coverage, and detection metadata. Fed continuously.</description><generator>Hugo</generator><language>en</language><managingEditor>hello@craftedsignal.io</managingEditor><webMaster>hello@craftedsignal.io</webMaster><lastBuildDate>Wed, 15 Jul 2026 19:18:56 +0000</lastBuildDate><atom:link href="https://feed.craftedsignal.io/products/gravity-forms-plugin--2.10.4/feed.xml" rel="self" type="application/rss+xml"/><item><title>Gravity Forms Directory Traversal Vulnerability (CVE-2026-12997)</title><link>https://feed.craftedsignal.io/briefs/2026-07-gravity-forms-directory-traversal/</link><pubDate>Wed, 15 Jul 2026 19:18:56 +0000</pubDate><author>hello@craftedsignal.io</author><guid isPermaLink="true">https://feed.craftedsignal.io/briefs/2026-07-gravity-forms-directory-traversal/</guid><description>Unauthenticated attackers can exploit a Directory Traversal vulnerability (CVE-2026-12997) in the Gravity Forms plugin for WordPress, affecting all versions up to and including 2.10.4, to read arbitrary files on the server and receive their contents as an email attachment, potentially exfiltrating sensitive information.</description><content:encoded><![CDATA[<p>A critical directory traversal vulnerability, tracked as CVE-2026-12997, exists in the Gravity Forms plugin for WordPress, impacting all versions up to and including 2.10.4. This flaw allows unauthenticated attackers to read arbitrary files from the server's filesystem by manipulating the <code>gform_uploaded_files</code> parameter. Exploitation requires the targeted WordPress form to be publicly accessible, meaning it does not enforce login for submission. Attackers can leverage the <code>process_send_resume_link</code> endpoint to supply an arbitrary email address. Upon successful exploitation, the contents of the traversed file are sent as an attachment to the attacker's specified email, enabling the exfiltration of sensitive configuration files, credentials, or other critical data. This vulnerability poses a significant risk to the confidentiality of data on affected WordPress installations.</p>
<h2 id="attack-chain">Attack Chain</h2>
<ol>
<li>Attacker identifies a WordPress website running the vulnerable Gravity Forms plugin (version &lt;= 2.10.4).</li>
<li>Attacker discovers a publicly accessible Gravity Forms form on the target WordPress site that does not require user authentication for submission.</li>
<li>Attacker crafts an HTTP POST request targeting a Gravity Forms AJAX endpoint, specifically related to the <code>process_send_resume_link</code> action.</li>
<li>The request includes a manipulated <code>gform_uploaded_files</code> parameter containing a directory traversal payload (e.g., <code>../../../../etc/passwd</code> or <code>..\..\..\..\windows\system32\win.ini</code>).</li>
<li>The attacker specifies an arbitrary email address in the request, intending to receive the exfiltrated file content.</li>
<li>The vulnerable Gravity Forms plugin processes the request, misinterpreting the directory traversal path and reading the content of the specified arbitrary file from the server.</li>
<li>The plugin generates an email notification containing the read file's content as an attachment.</li>
<li>The email is sent to the attacker-controlled address, successfully exfiltrating the arbitrary server file.</li>
</ol>
<h2 id="impact">Impact</h2>
<p>Successful exploitation of CVE-2026-12997 grants unauthenticated attackers the ability to read any file on the compromised web server that the web server process has permissions to access. This can lead to the exfiltration of highly sensitive information, such as database credentials, API keys, configuration files, source code, and potentially system-level files like <code>/etc/passwd</code> or <code>boot.ini</code>. The compromise of such data can enable further attacks, including database access, privilege escalation, or full server compromise, severely impacting the confidentiality and integrity of the affected WordPress site and its underlying infrastructure.</p>
<h2 id="recommendation">Recommendation</h2>
<ul>
<li>Patch CVE-2026-12997 immediately by updating the Gravity Forms plugin to version 2.10.5 or newer.</li>
<li>Deploy the Sigma rule provided in this brief to your SIEM and tune for your environment to detect attempts to exploit CVE-2026-12997.</li>
<li>Monitor web server access logs for suspicious HTTP POST requests to Gravity Forms AJAX endpoints containing directory traversal patterns in the <code>gform_uploaded_files</code> parameter.</li>
<li>Review email logs and alerts for unexpected outbound emails containing attachments or originating from the Gravity Forms plugin, particularly those not associated with legitimate form submissions.</li>
</ul>
]]></content:encoded><category domain="severity">high</category><category domain="type">advisory</category><category>wordpress</category><category>plugin</category><category>web-vulnerability</category><category>collection</category><category>network</category></item></channel></rss>