CVE-2026-12997
WordPress Schwachstellenanalyse und -minderung

Überblick

CVE-2026-12997 is a Directory Traversal vulnerability in the Gravity Forms plugin for WordPress, affecting all versions up to and including 2.10.4. It allows unauthenticated attackers to read arbitrary files on the server by manipulating the gform_uploaded_files parameter via the process_send_resume_link endpoint, with the retrieved file delivered as an email attachment to an attacker-controlled address. The vulnerability was published on July 15, 2026, with a patch made available the same day. It carries a CVSS v3.1 base score of 7.5 (High) (GitHub Advisory, Wordfence).

Technische Details

The root cause is improper limitation of a pathname to a restricted directory (CWE-22), where the gform_uploaded_files parameter is not properly sanitized before being used in file system operations. An unauthenticated attacker can craft a request to the process_send_resume_link endpoint of a publicly accessible Gravity Forms form, supplying path traversal sequences (e.g., ../../) in the gform_uploaded_files parameter to reference arbitrary files outside the intended upload directory. The attacker also supplies an arbitrary recipient email address, causing the server to send the traversal-retrieved file as a notification attachment. Exploitation requires the targeted form to be publicly accessible (i.e., not requiring user login) (GitHub Advisory, Wordfence).

Aufprall

Successful exploitation allows an unauthenticated remote attacker to read the contents of arbitrary files on the web server, including sensitive configuration files such as wp-config.php (containing database credentials), environment files, or other server-side data. The impact is limited to confidentiality — there is no integrity or availability impact — but the exposure of credentials or secrets could enable further compromise, including database access or lateral movement within the hosting environment (GitHub Advisory, Wordfence).

Ausnutzungsschritte

  1. Reconnaissance: Identify WordPress sites running Gravity Forms version 2.10.4 or earlier using tools like WPScan, Shodan, or by inspecting plugin metadata in publicly accessible WordPress installations.
  2. Identify a public form: Locate a Gravity Forms form on the target site that does not require user authentication (publicly accessible) and supports file uploads or resume link functionality.
  3. Craft the malicious request: Send an HTTP POST request to the process_send_resume_link endpoint, manipulating the gform_uploaded_files parameter with path traversal sequences (e.g., ../../../../etc/passwd or ../../../../var/www/html/wp-config.php) to reference a target file outside the upload directory.
  4. Supply attacker-controlled email: Include an arbitrary recipient email address in the request so the server sends the traversal-retrieved file as a notification attachment to the attacker.
  5. Retrieve sensitive data: Check the attacker-controlled email inbox for the attachment containing the contents of the targeted server file, which may include database credentials, API keys, or other sensitive configuration data (GitHub Advisory, Wordfence).

Indikatoren für Kompromittierung

  • Network: Unusual HTTP POST requests to the process_send_resume_link endpoint containing path traversal sequences (e.g., ../, %2e%2e%2f, ..%2f) in the gform_uploaded_files parameter; requests originating from unexpected or unknown IP addresses targeting Gravity Forms endpoints.
  • Logs: WordPress or web server access logs showing POST requests to /wp-admin/admin-ajax.php or similar endpoints with action=gform_send_resume_link and anomalous file path values in the body; outbound email activity triggered by form submissions referencing non-upload-directory file paths.
  • Email: Outbound notification emails from the WordPress site containing attachments with contents of system files (e.g., wp-config.php, /etc/passwd) sent to external or unrecognized email addresses.

Risikominderung und Problemumgehungen

Update the Gravity Forms plugin to a version newer than 2.10.4, which contains the patch for this vulnerability (GitHub Advisory). If immediate patching is not possible, configure all Gravity Forms that handle sensitive data or file uploads to require user authentication before access, as exploitation requires the form to be publicly accessible. Additionally, consider restricting outbound email from the WordPress server to known, trusted recipient addresses as a defense-in-depth measure (Wordfence).

Zusätzliche Ressourcen


QuelleDieser Bericht wurde mithilfe von KI erstellt

Verwandt WordPress Schwachstellen:

CVE-Kennung

Strenge

Punktzahl

Technologieen

Name der Komponente

CISA KEV-Exploit

Hat fix

Veröffentlichungsdatum

CVE-2026-12512HIGH8.6
  • quotes-llama
NeinJaJul 15, 2026
CVE-2026-12281HIGH8.1
  • shibboleth
NeinJaJul 15, 2026
CVE-2026-12997HIGH7.5
  • gravityforms
NeinJaJul 15, 2026
CVE-2026-11580MEDIUM5.5
  • kali-forms
NeinJaJul 15, 2026
CVE-2026-11579MEDIUM5.3
  • kali-forms
NeinJaJul 15, 2026

Kostenlose Schwachstellenbewertung

Benchmarking Ihrer Cloud-Sicherheitslage

Bewerten Sie Ihre Cloud-Sicherheitspraktiken in 9 Sicherheitsbereichen, um Ihr Risikoniveau zu bewerten und Lücken in Ihren Abwehrmaßnahmen zu identifizieren.

Bewertung anfordern

Eine personalisierte Demo anfordern

Sind Sie bereit, Wiz in Aktion zu sehen?

"Die beste Benutzererfahrung, die ich je gesehen habe, bietet vollständige Transparenz für Cloud-Workloads."
David EstlickCISO
"„Wiz bietet eine zentrale Oberfläche, um zu sehen, was in unseren Cloud-Umgebungen vor sich geht.“ "
Adam FletcherSicherheitsbeauftragter
"„Wir wissen, dass, wenn Wiz etwas als kritisch identifiziert, es auch wirklich kritisch ist.“"
Greg PoniatowskiLeiter Bedrohungs- und Schwachstellenmanagement