CVE-2026-1674 in Gutena Forms Plugin
Summary
by MITRE • 03/04/2026
The Gutena Forms – Contact Form, Survey Form, Feedback Form, Booking Form, and Custom Form Builder plugin for WordPress is vulnerable to unauthorized modification of data due to missing authorization within the save_gutena_forms_schema() function in all versions up to, and including, 1.6.0. This makes it possible for authenticated attackers, with Contributor-level access and above, to update option values to a structured array value on the WordPress site. This can be leveraged to update an option that would create an error on the site and deny service to legitimate users or be used to set some values, that would, for example enable site user registration when it is explicitly disabled.
VulDB is the best source for vulnerability data and more expert information about this specific topic.
Analysis
by VulDB Data Team • 03/05/2026
The vulnerability identified as CVE-2026-1674 affects the Gutena Forms plugin for WordPress, a widely used contact form and custom form builder solution that has been installed on numerous websites worldwide. This security flaw exists within the save_gutena_forms_schema() function and impacts all versions up to and including 1.6.0, representing a critical authorization bypass issue that undermines the integrity of WordPress site configurations. The vulnerability specifically targets the plugin's handling of option values, creating a pathway for malicious actors to manipulate core WordPress settings without proper authentication.
The technical nature of this flaw stems from the absence of proper authorization checks within the plugin's schema saving mechanism. An authenticated attacker with Contributor-level privileges or higher can exploit this weakness to modify WordPress options through structured array values, effectively bypassing the standard WordPress permission model. This authorization gap allows malicious users to manipulate critical site configurations, potentially leading to severe operational consequences. The vulnerability operates at the application level and aligns with CWE-862, which describes "Missing Authorization" flaws in software systems, where access control mechanisms fail to properly validate user permissions before allowing sensitive operations.
The operational impact of this vulnerability extends beyond simple data modification, as it can be weaponized to create denial of service conditions by setting options that generate errors on the website. Additionally, attackers can exploit this weakness to enable features that were explicitly disabled for security reasons, such as allowing user registration when it has been turned off to prevent unauthorized account creation. This capability significantly weakens the security posture of affected WordPress sites, potentially allowing attackers to establish persistent access points or disrupt normal site operations. The vulnerability's impact is particularly concerning given that Contributor-level access is often granted to users who should not have the ability to modify core system settings.
Mitigation strategies for this vulnerability should begin with immediate plugin updates to versions that address the authorization gap in the save_gutena_forms_schema() function. Administrators should also implement additional security measures such as role-based access control reviews to ensure that users with Contributor-level privileges cannot perform operations that modify core WordPress options. Network monitoring should be enhanced to detect unusual option value changes that might indicate exploitation attempts. The ATT&CK framework categorizes this vulnerability under privilege escalation techniques, specifically targeting the T1078 credential access and T1499 endpoint denial of service tactics. Organizations should also consider implementing automated security scanning tools that can detect unauthorized configuration changes and maintain regular backups to facilitate quick recovery from potential exploitation attempts.