FKIE_CVE-2026-1674

Vulnerability from fkie_nvd - Published: 2026-03-04 12:16 - Updated: 2026-04-22 21:26
Severity ?
6.5 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N
Summary
The Gutena Forms – Contact Form, Survey Form, Feedback Form, Booking Form, and Custom Form Builder plugin for WordPress is vulnerable to unauthorized modification of data due to missing authorization within the save_gutena_forms_schema() function in all versions up to, and including, 1.6.0. This makes it possible for authenticated attackers, with Contributor-level access and above, to update option values to a structured array value on the WordPress site. This can be leveraged to update an option that would create an error on the site and deny service to legitimate users or be used to set some values, that would, for example enable site user registration when it is explicitly disabled.
References
security@wordfence.comhttps://plugins.trac.wordpress.org/changeset/3463148/gutena-forms
security@wordfence.comhttps://www.wordfence.com/threat-intel/vulnerabilities/id/4bc10693-6d7c-4293-8848-02181ceb0d25?source=cve
Impacted products
Vendor Product Version
To clipboard 

{
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "The Gutena Forms \u2013 Contact Form, Survey Form, Feedback Form, Booking Form, and Custom Form Builder plugin for WordPress is vulnerable to unauthorized modification of data due to missing authorization within the save_gutena_forms_schema() function in all versions up to, and including, 1.6.0. This makes it possible for authenticated attackers, with Contributor-level access and above, to update option values to a structured array value on the WordPress site. This can be leveraged to update an option that would create an error on the site and deny service to legitimate users or be used to set some values, that would, for example enable site user registration when it is explicitly disabled."
    },
    {
      "lang": "es",
      "value": "El plugin Gutena Forms \u2013 Contact Form, Survey Form, Feedback Form, Booking Form, y Custom Form Builder para WordPress es vulnerable a la modificaci\u00f3n no autorizada de datos debido a la falta de autorizaci\u00f3n dentro de la funci\u00f3n save_gutena_forms_schema() en todas las versiones hasta la 1.6.0, inclusive. Esto hace posible que atacantes autenticados, con acceso de nivel Colaborador y superior, actualicen los valores de las opciones a un valor de array estructurado en el sitio de WordPress. Esto puede ser aprovechado para actualizar una opci\u00f3n que crear\u00eda un error en el sitio y denegar el servicio a usuarios leg\u00edtimos o ser usado para establecer algunos valores que, por ejemplo, habilitar\u00edan el registro de usuarios del sitio cuando est\u00e1 expl\u00edcitamente deshabilitado."
    }
  ],
  "id": "CVE-2026-1674",
  "lastModified": "2026-04-22T21:26:58.303",
  "metrics": {
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "NONE",
          "baseScore": 6.5,
          "baseSeverity": "MEDIUM",
          "confidentialityImpact": "NONE",
          "integrityImpact": "HIGH",
          "privilegesRequired": "LOW",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N",
          "version": "3.1"
        },
        "exploitabilityScore": 2.8,
        "impactScore": 3.6,
        "source": "security@wordfence.com",
        "type": "Secondary"
      }
    ]
  },
  "published": "2026-03-04T12:16:02.733",
  "references": [
    {
      "source": "security@wordfence.com",
      "url": "https://plugins.trac.wordpress.org/changeset/3463148/gutena-forms"
    },
    {
      "source": "security@wordfence.com",
      "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/4bc10693-6d7c-4293-8848-02181ceb0d25?source=cve"
    }
  ],
  "sourceIdentifier": "security@wordfence.com",
  "vulnStatus": "Deferred",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-862"
        }
      ],
      "source": "security@wordfence.com",
      "type": "Secondary"
    }
  ]
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.