Cyber Resilience

CVE-2026-22460

High

Published: 05 March 2026

Published
05 March 2026
Modified
23 April 2026
KEV Added
Patch
CVSS Score v3.1 8.6 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H
EPSS Score 0.0039 30.3th percentile
Risk Priority 55 floored blend · peak EPSS

Summary

CVE-2026-22460 is a high-severity Path Traversal (CWE-22) vulnerability. Its CVSS base score is 8.6 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 30.3th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2026-22460 is an Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability, classified as CWE-22, in the wpWax FormGent WordPress plugin. This issue affects FormGent versions from n/a through 1.7.0. The vulnerability has a CVSS v3.1 base score of 8.6 (AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H), indicating high severity primarily due to its potential for significant availability impact.

Unauthenticated remote attackers can exploit this vulnerability over the network with low attack complexity and no user interaction required. Exploitation allows path traversal, enabling arbitrary file deletion on the target system and resulting in denial-of-service conditions through high availability disruption.

Patchstack has published an advisory on this vulnerability, detailing the arbitrary file deletion issue in the WordPress FormGent plugin, accessible at https://patchstack.com/database/Wordpress/Plugin/formgent/vulnerability/wordpress-formgent-plugin-1-2-1-arbitrary-file-deletion-vulnerability?_s_id=cve. Security practitioners should consult this reference for specific mitigation guidance, such as applying available patches or updates beyond version 1.7.0.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in wpWax FormGent formgent allows Path Traversal.This issue affects FormGent: from n/a through <= 1.7.0.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1070.004 File Deletion Stealth
Adversaries may delete files left behind by the actions of their intrusion activity.
Why these techniques?

Path traversal in public-facing WordPress plugin directly enables remote unauthenticated exploitation (T1190) and arbitrary file deletion (T1070.004) for DoS impact.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-4350Shared CWE-22
CVE-2025-7643Shared CWE-22
CVE-2025-14850Shared CWE-22
CVE-2025-8141Shared CWE-22
CVE-2025-2328Shared CWE-22
CVE-2025-7645Shared CWE-22
CVE-2026-41058Shared CWE-22
CVE-2026-0704Shared CWE-22
CVE-2025-11631Shared CWE-22
CVE-2025-65792Shared CWE-22

Affected Assets

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly remediates the path traversal flaw in FormGent plugin versions <=1.7.0 by applying vendor patches to prevent arbitrary file deletion.

prevent

Validates pathname inputs to the FormGent plugin to block traversal sequences like '../' that enable arbitrary file access and deletion.

prevent

Enforces boundary protection at web interfaces to detect and block unauthenticated path traversal payloads targeting the vulnerable FormGent plugin.

References