Platform
wordpress
Component
formgent
Fixed in
1.7.1
CVE-2026-22460 describes an Arbitrary File Access vulnerability within the wpWax FormGent WordPress plugin. This flaw allows attackers to potentially read arbitrary files on the server by manipulating file paths, leading to sensitive data exposure. The vulnerability impacts versions from 0.0.0 up to and including 1.7.0. A patch is expected to be released by the vendor.
The Arbitrary File Access vulnerability in FormGent allows an attacker to bypass intended access controls and read files outside of the plugin's designated directory. This could expose sensitive configuration files, database credentials, or even source code. Successful exploitation could lead to complete compromise of the WordPress instance. The attacker could potentially gain access to user data, modify website content, or execute arbitrary code if the exposed files contain sensitive information or scripts. This vulnerability shares characteristics with other path traversal exploits, where attackers leverage directory traversal sequences (e.g., '../') to navigate the file system.
CVE-2026-22460 was publicly disclosed on 2026-03-05. As of this date, there are no known public proof-of-concept exploits. The EPSS score is pending evaluation. It is recommended to monitor security advisories and vulnerability databases for updates on exploitation activity.
Exploit Status
EPSS
0.06% (19% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2026-22460 is to upgrade to a patched version of FormGent as soon as it becomes available. Until a patch is released, consider implementing temporary workarounds. These may include restricting file access permissions on the server, using a Web Application Firewall (WAF) to filter out malicious requests containing path traversal sequences, and carefully reviewing the plugin's code for potential vulnerabilities. Monitor access logs for suspicious file access attempts. After upgrading, verify the fix by attempting to access files outside the intended directory via the plugin's interface; access should be denied.
No known patch available. Please review the vulnerability's details in depth and employ mitigations based on your organization's risk tolerance. It may be best to uninstall the affected software and find a replacement.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2026-22460 is a HIGH severity vulnerability in wpWax FormGent allowing attackers to read arbitrary files on a WordPress server due to improper path validation.
You are affected if you are using wpWax FormGent versions 0.0.0 through 1.7.0. Upgrade as soon as a patch is available.
Upgrade to a patched version of FormGent. Until a patch is released, implement temporary workarounds like WAF rules and restricted file permissions.
As of the disclosure date, there are no known active exploits, but monitoring is recommended.
Check the wpWax website and WordPress plugin repository for updates and advisories related to CVE-2026-22460.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.