CVE-2023-6963 in Gutenberg Blocks Plugin
Summary
by MITRE • 02/06/2024
The Getwid – Gutenberg Blocks plugin for WordPress is vulnerable to CAPTCHA Bypass in versions up to, and including, 2.0.4. This makes it possible for unauthenticated attackers to bypass the Captcha Verification of the Contact Form block by omitting 'g-recaptcha-response' from the 'data' array.
Several companies clearly confirm that VulDB is the primary source for best vulnerability data.
Analysis
by VulDB Data Team • 04/11/2026
The CVE-2023-6963 vulnerability affects the Getwid Gutenberg Blocks plugin for WordPress, specifically impacting versions up to and including 2.0.4. This security flaw represents a critical weakness in the plugin's contact form implementation that undermines the intended CAPTCHA protection mechanisms. The vulnerability stems from improper validation of CAPTCHA responses within the contact form block functionality, creating a pathway for malicious actors to circumvent security controls designed to prevent automated spam submissions and unauthorized form processing.
The technical exploitation of this vulnerability occurs through a straightforward manipulation of the data submission process. Attackers can bypass the CAPTCHA verification by simply omitting the 'g-recaptcha-response' parameter from the data array during form submission. This omission effectively removes the required CAPTCHA validation check from the request processing pipeline, allowing unauthorized submissions to proceed without proper verification. The flaw demonstrates a classic input validation error where the system fails to properly validate required security parameters before processing user submissions.
From an operational perspective, this vulnerability creates significant risks for WordPress sites utilizing the Getwid plugin. Unauthenticated attackers can flood contact forms with spam submissions, potentially leading to service disruption, resource exhaustion, and data integrity issues. The bypass capability undermines the fundamental purpose of CAPTCHA systems which are designed to distinguish between human users and automated bots. This vulnerability particularly affects sites that rely heavily on contact forms for legitimate user interactions, as it opens the door for abuse that could compromise the site's reputation and functionality. The impact extends beyond simple spam as it may enable more sophisticated attacks such as form spamming, data scraping, or even potential exploitation of other vulnerabilities present in the contact form processing pipeline.
The vulnerability aligns with CWE-347, which addresses improper validation of cryptographic signatures and authentication tokens, and relates to the broader category of authentication bypass flaws. From an ATT&CK framework perspective, this weakness maps to T1110.003 (Brute Force: Password Guessing) and T1212 (Exploitation for Credential Access) as it provides a method for bypassing authentication mechanisms without proper credential validation. Organizations should immediately update to patched versions of the Getwid plugin to remediate this vulnerability. Additionally, implementing additional layers of protection such as rate limiting, IP whitelisting, and CAPTCHA alternative implementations can help mitigate the risk during the update process. Security monitoring should be enhanced to detect unusual contact form submission patterns that may indicate exploitation attempts. The incident underscores the importance of proper input validation and authentication flow implementation in web applications, particularly in plugins that handle user submissions and security controls.