Wordpress on Aretiq AIhttps://aretiq.ai/tags/wordpress/Recent content in Wordpress on Aretiq AIHugoen-usTue, 02 Jun 2026 00:00:00 +0000CVE-2026-8206 — Themeum Kirki WordPress Plugin Password Reset Email Redirect Privilege Escalationhttps://aretiq.ai/research/vul260602-cve-2026-8206-themeum-kirki-wordpress-plugin-password-reset-email-redirect-privilege-escalation/Tue, 02 Jun 2026 00:00:00 +0000https://aretiq.ai/research/vul260602-cve-2026-8206-themeum-kirki-wordpress-plugin-password-reset-email-redirect-privilege-escalation/<h2 id="1-overview">1. Overview</h2> <p>A vulnerability exists in the Kirki – Freeform Page Builder, Website Builder &amp; Customizer plugin for WordPress, in the password reset functionality exposed via the REST API. The <code>handle_forgot_password</code> endpoint accepts a username and an arbitrary email address; when a reset is requested by username, the plugin generates a valid password reset key but sends the reset link to the attacker-supplied email instead of the user&rsquo;s registered email. An unauthenticated attacker can exploit this to receive the password reset link for any user account—including administrator—and take over the account by resetting its password. The vulnerability affects versions 6.0.0 through 6.0.6 and was fixed in version 6.0.7.</p>CVE-2026-48866 — WordPress Gravity Forms Plugin File Upload Path Traversal Arbitrary File Deletionhttps://aretiq.ai/research/vul260601-cve-2026-48866-wordpress-gravity-forms-plugin-file-upload-path-traversal-arbitrary-file-deletion/Mon, 01 Jun 2026 00:00:00 +0000https://aretiq.ai/research/vul260601-cve-2026-48866-wordpress-gravity-forms-plugin-file-upload-path-traversal-arbitrary-file-deletion/<h2 id="1-overview">1. Overview</h2> <p>A path traversal vulnerability exists in the Gravity Forms WordPress plugin&rsquo;s file deletion mechanism. When processing entries that contain file upload fields, the plugin converts stored file URLs to filesystem paths using a simple string replacement without validating that the resulting path remains within the uploads directory. An unauthenticated attacker can submit a form with a crafted <code>gform_uploaded_files</code> parameter containing directory traversal sequences (<code>../</code>), which are stored in the entry database. When a privileged user subsequently deletes the entry or its attached files, the traversal sequences cause the plugin to delete arbitrary files on the server. Deleting critical files such as <code>wp-config.php</code> results in complete site unavailability. Rocketgenius addressed this vulnerability in Gravity Forms version 2.10.1.</p>