WP-Safety
CVE-2026-1674

Gutena Forms – Contact Form, Survey Form, Feedback Form, Booking Form, and Custom Form Builder <= 1.6.0 - Authenticated (Contributor+) Limited Options Update in save_gutena_forms_schema()

mediumMissing Authorization
6.5
CVSS Score
6.5
CVSS Score
medium
Severity
1.6.1
Patched in
1d
Time to patch

Description

The Gutena Forms – Contact Form, Survey Form, Feedback Form, Booking Form, and Custom Form Builder plugin for WordPress is vulnerable to unauthorized modification of data due to missing authorization within the save_gutena_forms_schema() function in all versions up to, and including, 1.6.0. This makes it possible for authenticated attackers, with Contributor-level access and above, to update option values to a structured array value on the WordPress site. This can be leveraged to update an option that would create an error on the site and deny service to legitimate users or be used to set some values, that would, for example enable site user registration when it is explicitly disabled.

CVSS Vector Breakdown

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
None
Confidentiality
High
Integrity
None
Availability

Technical Details

Affected versions<=1.6.0
PublishedMarch 3, 2026
Last updatedMarch 4, 2026
Affected plugingutena-forms

What Changed in the Fix

Changes introduced in v1.6.1

Loading patch diff...

Source Code

WordPress.org SVN
Vulnerable v1.6.0
Browse source Download .zip
Patched v1.6.1
Browse source Download .zip
Research Plan
Unverified

# Exploitation Research Plan: CVE-2026-1674 (Gutena Forms Options Update) ## 1. Vulnerability Summary The **Gutena Forms** plugin (up to version 1.6.0) contains a missing authorization vulnerability in the `save_gutena_forms_schema()` function. This function is hooked to WordPress's `save_post` act…

Show full research plan

Exploitation Research Plan: CVE-2026-1674 (Gutena Forms Options Update)

1. Vulnerability Summary

The Gutena Forms plugin (up to version 1.6.0) contains a missing authorization vulnerability in the save_gutena_forms_schema() function. This function is hooked to WordPress's save_post action. Because the function fails to check for administrative capabilities (e.g., manage_options) or verify a specific security nonce before updating WordPress options, an authenticated user with at least Contributor level access (who can save posts) can trigger this function to overwrite arbitrary WordPress options with structured array data.

2. Attack Vector Analysis

  • Endpoint: wp-admin/post.php (via the standard post-save flow).
  • Action: save_post (triggered when a user saves or updates a post).
  • Vulnerable Function: Gutena_Forms::save_gutena_forms_schema().
  • Payload Parameters:
    • gutena_forms_id: The name of the WordPress option to update (e.g., users_can_register).
    • gutena_forms_schema: The value to set the option to (must be an array/structured data).
  • Authentication: Authenticated (Contributor or higher). Contributors can create posts and trigger save_post even if their posts are pending review.

3. Code Flow

  1. Registration: In gutena-forms.php, the plugin registers the hook:
    add_action( 'save_post', array( $this, 'save_gutena_forms_schema' ), 10, 3 );
  2. Execution: When any post is saved, save_gutena_forms_schema($post_id, $post, $update) is executed.
  3. Missing Check: (Inferred from patch/vulnerability description) The function likely looks for $_POST['gutena_forms_id'] and $_POST['gutena_forms_schema'].
  4. The Sink: It calls update_option( $_POST['gutena_forms_id'], $_POST['gutena_forms_schema'] ) without verifying if the current user has the authority to modify site options or if the request was intentional (nonce).

4. Nonce Acquisition Strategy

While the vulnerable function itself may lack a specific nonce check, the save_post action in the WordPress admin dashboard is protected by the core _wpnonce.

Strategy:

  1. Log in as a Contributor.
  2. Navigate to wp-admin/post-new.php.
  3. Use browser_eval to extract the _wpnonce from the form or simply submit the form via the browser context.
  4. The core WordPress nonce _wpnonce is typically found in the hidden input field of the post editor form: document.getElementById('_wpnonce').value.

5. Exploitation Strategy

The goal is to enable site registration by setting the users_can_register option. While this option is normally a string ('0' or '1'), setting it to a non-empty array will cause (bool) get_option('users_can_register') to evaluate to true in most logic checks.

Step-by-Step Plan:

  1. Login: Authenticate as a Contributor user.
  2. Post Initialization: Access wp-admin/post-new.php to initiate a post creation session.
  3. Payload Construction: Prepare a POST request to wp-admin/post.php.
  4. Execution:
    • Use the http_request tool to send a multipart/form-data or application/x-www-form-urlencoded request.
    • Required Parameters:
      • action: editpost
      • post_ID: (The ID of the post being created)
      • _wpnonce: (The nonce obtained from the post-new page)
      • gutena_forms_id: users_can_register
      • gutena_forms_schema[enabled]: 1 (This ensures the option becomes a structured array)
      • post_title: Exploit Post
  5. DoS Variant (Optional): To demonstrate Denial of Service, an attacker could target an option like active_plugins or template, though users_can_register is the most common POC for impact.

6. Test Data Setup

  1. User: Create a user with the Contributor role.
  2. Settings: Ensure Settings > General > Membership (Anyone can register) is unchecked (value 0) before starting.
  3. Plugin: Ensure gutena-forms version 1.6.0 is active.

7. Expected Results

  • The server will process the post-save request and return a 302 redirect to the post editor.
  • The save_gutena_forms_schema function will execute and call update_option('users_can_register', ['enabled' => '1']).
  • Since the array is not empty, WordPress will treat registration as enabled.

8. Verification Steps

  1. WP-CLI Check:
    wp option get users_can_register
    Expected Output: A serialized array a:1:{s:7:"enabled";s:1:"1";} or similar, instead of the string 0.
  2. UI Check: Navigate to the WordPress login page (/wp-login.php) and verify that the "Register" link is now visible.
  3. Functional Check:
    curl -I http://localhost:8080/wp-login.php?action=register
    Expected Output: HTTP 200 OK (instead of a redirect or error indicating registration is disabled).

9. Alternative Approaches

If gutena_forms_id is not the correct parameter name (due to truncation in the source), check the following common naming conventions used by the plugin:

  • gutena_form_id
  • gutena_forms_data
  • gutena_form_schema

If the save_post hook is only registered for a specific Post Type, check if the plugin registers a CPT called gutena-forms. If so, use wp post create --post_type=gutena-forms as the base for the exploit. In the provided source gutena-forms.php, the following include is seen:
include_once GUTENA_FORMS_DIR_PATH . 'includes/class-gutena-cpt.php';
This confirms the existence of a Custom Post Type. The exploit should be attempted by saving a post of type gutena-forms.

References
https://www.wordfence.com/threat-intel/vulnerabilities/id/4bc10693-6d7c-4293-8848-02181ceb0d25?source=api-prod

Check if your site is affected.

Run a free security audit to detect vulnerable plugins, outdated versions, and misconfigurations.

Run free audit Browse CVE database