CVE-2026-48866

CRITICAL

WordPress Gravity Forms plugin <= 2.10.0.1 - Arbitrary File Deletion vulnerability

Title source: cna
STIX 2.1

Exploitation Summary

EIP tracks 1 public exploit for CVE-2026-48866. PoCs published by 0xABCD01.

AI-analyzed exploit summary This repository contains a functional exploit PoC for CVE-2026-48866, demonstrating an arbitrary file deletion vulnerability in Gravity Forms <= 2.10.0.1 via path traversal. The PoC includes detailed technical analysis, patch comparison, and a Python script to exploit the vulnerability.

Description

Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in Rocketgenius Inc. Gravity Forms allows Path Traversal. This issue affects Gravity Forms: from n/a through 2.10.0.1.

Exploits (1)

github WORKING POC
by 0xABCD01 · pythonpoc
https://github.com/0xABCD01/CVE-2026-48866

This repository contains a functional exploit PoC for CVE-2026-48866, demonstrating an arbitrary file deletion vulnerability in Gravity Forms <= 2.10.0.1 via path traversal. The PoC includes detailed technical analysis, patch comparison, and a Python script to exploit the vulnerability.

Classification
Working Poc 95%
Attack Type
Other
Complexity
Moderate
Reliability
Reliable
Target: Gravity Forms <= 2.10.0.1
No auth needed
Prerequisites: form_id · field_id · target_file
devstral-2 · analyzed Jun 05, 2026 Full analysis →

References (1)

Core 1

Scores

CVSS v3 9.6
EPSS 0.0004
EPSS Percentile 11.4%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H

CISA SSVC

Vulnrichment
Exploitation none
Automatable no
Technical Impact total

Details

CWE
CWE-22
Status published
Products (1)
Rocketgenius Inc./Gravity Forms < 2.10.0.1
Published Jun 01, 2026
Tracked Since Jun 01, 2026