CVE-2026-22460 is a path traversal vulnerability identified in the wpWax FormGent plugin for WordPress, affecting versions up to and including 1.4.2. Path traversal vulnerabilities occur when an application improperly restricts user-supplied file path inputs, allowing attackers to navigate outside the intended directory boundaries. In this case, the vulnerability allows an attacker to craft malicious requests that manipulate the pathname parameter to access files and directories beyond the restricted scope. This can lead to unauthorized reading of sensitive files such as configuration files, password stores, or other critical data on the server. The vulnerability does not require authentication, increasing its risk profile, and no user interaction is necessary beyond sending crafted HTTP requests. Although no exploits are currently known in the wild, the flaw's nature and the widespread use of WordPress and its plugins make it a significant concern. The lack of a CVSS score suggests the vulnerability is newly published and pending further assessment. The vulnerability was reserved in early 2026 and publicly disclosed in March 2026. The absence of official patches at the time of disclosure means users must rely on mitigations until updates are available.

The primary impact of CVE-2026-22460 is unauthorized disclosure of sensitive information due to the ability to read arbitrary files on the affected server. This can compromise confidentiality by exposing configuration files, credentials, or other sensitive data. In some cases, attackers might leverage this information to further escalate privileges or conduct additional attacks such as remote code execution. The vulnerability affects the availability and integrity indirectly if attackers use the information gained to disrupt services or modify files. Since the vulnerability does not require authentication or user interaction, it can be exploited remotely and at scale, potentially affecting many websites using the vulnerable plugin. Organizations relying on the FormGent plugin for form management on WordPress sites face increased risk of data breaches, reputational damage, and regulatory compliance violations. The impact is especially critical for organizations handling sensitive user data or operating in regulated industries.

To mitigate CVE-2026-22460, organizations should immediately audit their WordPress installations to identify the presence of the wpWax FormGent plugin and its version. Until an official patch is released, apply the following specific mitigations: 1) Implement strict input validation and sanitization on all pathname or file-related parameters to prevent traversal sequences such as '../'. 2) Configure web server and file system permissions to restrict the plugin's access strictly to necessary directories, preventing access to sensitive files even if traversal is attempted. 3) Employ web application firewalls (WAFs) with rules designed to detect and block path traversal attack patterns targeting the FormGent plugin endpoints. 4) Monitor server logs for unusual file access patterns or repeated traversal attempts. 5) Consider temporarily disabling or removing the plugin if it is not essential to reduce exposure. 6) Stay alert for official patches or updates from wpWax and apply them promptly once available. 7) Educate development and security teams about secure coding practices to prevent similar vulnerabilities in custom plugins or themes.