Unauthenticated attackers can delete arbitrary files from WordPress sites running Gravity Forms 2.10.0.1 or earlier, a vulnerability disclosed June 1 that prompted Reclaim Hosting to begin force-updating the plugin across thousands of client installations on June 3, according to Wordfence's Vulnerability Database.
TL;DR: A critical file deletion flaw in Gravity Forms versions 2.10.0.1 and earlier allows unauthenticated attackers to remove arbitrary files from affected WordPress sites; Reclaim Hosting began automated updates June 3 at 1 p.m. ET.
The vulnerability affects one of WordPress's most widely deployed paid form plugins. Gravity Forms appears on thousands of agency-managed client sites, including Domain of One's Own project homepages where the plugin powers request-form functionality. The flaw allows attackers to delete files without authentication, creating risk for sites running outdated versions.
What the Vulnerability Allows
The arbitrary file deletion vulnerability permits attackers to target any file on an affected WordPress installation without logging in or possessing valid credentials. Wordfence published the disclosure June 1, identifying all Gravity Forms versions 2.10.0.1 and earlier as vulnerable. The plugin vendor patched the flaw in version 2.10.1, released prior to the public disclosure.
The vulnerability carries particular risk for agencies managing multiple client WordPress installations, where plugin update cycles often lag behind patch releases. Similar plugin vulnerabilities in Kirki and WP Maps Pro have demonstrated how delayed updates across agency portfolios compound exposure when proof-of-concept exploits surface.
Reclaim Hosting's Response
Reclaim Hosting initiated automated plugin updates at 1 p.m. ET on June 3, deploying WordPress's built-in update mechanism to upgrade Gravity Forms installations across its infrastructure. The update procedure covers sites on Domain of One's Own, Managed Hosting, Reclaim EDU, Shared Hosting, and Reclaim Cloud.
The hosting provider targeted all WordPress sites with Gravity Forms installed, including Domain of One's Own project homepages where the request-form feature relies on the plugin. Reclaim recommended users with expired Gravity Forms licenses deactivate the plugin until license renewal enables update access.
Patch Status and Version Details
Gravity Forms version 2.10.1 closed the arbitrary file deletion vulnerability. The current stable release is version 2.10.3 as of June 3, incorporating the security patch and subsequent maintenance updates. Sites running version 2.10.0.1 or earlier remain vulnerable until updated.
The patch timeline shows the vendor addressed the flaw before public disclosure, allowing hosting providers time to coordinate update deployments. Agencies managing client sites should verify Gravity Forms version numbers via /wp-admin/plugins.php and enable automatic background updates for the plugin to prevent future exposure windows.
Expired licenses block update access for Gravity Forms installations, creating a secondary risk category where sites cannot receive patches through WordPress's standard update flow. Agencies carrying clients with lapsed licenses face a choice between license renewal costs and temporary plugin deactivation.
Why This Matters Now
Agency operations teams managing WordPress portfolios face accumulated risk when high-adoption paid plugins ship security patches. Gravity Forms runs on thousands of client sites, and the arbitrary file deletion capability creates direct exposure for agencies carrying sites with delayed update cycles or expired licenses.
The June 3 automated update from Reclaim Hosting demonstrates how proactive hosting providers compress the exposure window, but agencies on self-managed infrastructure or alternative hosts must verify patch deployment across their client base. A single outdated Gravity Forms installation in a 40-site portfolio creates liability if an attacker exploits the file deletion vulnerability.
For agencies evaluating white-label maintenance partners, security response velocity on paid-plugin vulnerabilities serves as a concrete vetting metric. The gap between Wordfence disclosure on June 1 and Reclaim's automated deployment on June 3 establishes a 48-hour benchmark for coordinated update procedures across managed WordPress infrastructure.