CVE-2026-22460
Published: 05 March 2026
Summary
CVE-2026-22460 is a high-severity Path Traversal (CWE-22) vulnerability. Its CVSS base score is 8.6 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 30.3th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Deeper analysis
CVE-2026-22460 is an Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability, classified as CWE-22, in the wpWax FormGent WordPress plugin. This issue affects FormGent versions from n/a through 1.7.0. The vulnerability has a CVSS v3.1 base score of 8.6 (AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H), indicating high severity primarily due to its potential for significant availability impact.
Unauthenticated remote attackers can exploit this vulnerability over the network with low attack complexity and no user interaction required. Exploitation allows path traversal, enabling arbitrary file deletion on the target system and resulting in denial-of-service conditions through high availability disruption.
Patchstack has published an advisory on this vulnerability, detailing the arbitrary file deletion issue in the WordPress FormGent plugin, accessible at https://patchstack.com/database/Wordpress/Plugin/formgent/vulnerability/wordpress-formgent-plugin-1-2-1-arbitrary-file-deletion-vulnerability?_s_id=cve. Security practitioners should consult this reference for specific mitigation guidance, such as applying available patches or updates beyond version 1.7.0.
OWASP Top 10 for Web (2025)
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-9580
Vulnerability details
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in wpWax FormGent formgent allows Path Traversal.This issue affects FormGent: from n/a through <= 1.7.0.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Path traversal in public-facing WordPress plugin directly enables remote unauthenticated exploitation (T1190) and arbitrary file deletion (T1070.004) for DoS impact.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly remediates the path traversal flaw in FormGent plugin versions <=1.7.0 by applying vendor patches to prevent arbitrary file deletion.
Validates pathname inputs to the FormGent plugin to block traversal sequences like '../' that enable arbitrary file access and deletion.
Enforces boundary protection at web interfaces to detect and block unauthenticated path traversal payloads targeting the vulnerable FormGent plugin.