[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$fnv_hG1a0MiV5DZJiNbQi8IjoIGBYjQNPOVrBz4tBzXg":3},{"id":4,"url_slug":5,"title":6,"description":7,"plugin_slug":8,"theme_slug":9,"affected_versions":10,"patched_in_version":11,"severity":12,"cvss_score":13,"cvss_vector":14,"vuln_type":15,"published_date":16,"updated_date":17,"references":18,"days_to_patch":20,"patch_diff_files":21,"patch_trac_url":9,"research_status":26,"research_verified":27,"research_rounds_completed":28,"research_plan":29,"research_summary":30,"research_vulnerable_code":31,"research_fix_diff":32,"research_exploit_outline":33,"research_model_used":34,"research_started_at":35,"research_completed_at":36,"research_error":9,"poc_status":9,"poc_video_id":9,"poc_summary":9,"poc_steps":9,"poc_tested_at":9,"poc_wp_version":9,"poc_php_version":9,"poc_playwright_script":9,"poc_exploit_code":9,"poc_has_trace":27,"poc_model_used":9,"poc_verification_depth":9,"poc_exploit_code_gated":27,"source_links":37},"CVE-2026-1753","gutena-forms-contact-form-survey-form-feedback-form-booking-form-and-custom-form-builder-missing-authorization-to-authen","Gutena Forms – Contact Form, Survey Form, Feedback Form, Booking Form, and Custom Form Builder \u003C 1.6.1 - Missing Authorization to Authenticated (Contributor+) Settings Update","The Gutena Forms – Contact Form, Survey Form, Feedback Form, Booking Form, and Custom Form Builder plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on a function in all versions up to 1.6.1 (exclusive). This makes it possible for authenticated attackers, with Contributor-level access and above, to perform an unauthorized action.","gutena-forms",null,"\u003C1.6.1","1.6.1","medium",4.3,"CVSS:3.1\u002FAV:N\u002FAC:L\u002FPR:L\u002FUI:N\u002FS:U\u002FC:N\u002FI:L\u002FA:N","Missing Authorization","2026-03-12 00:00:00","2026-03-19 13:52:11",[19],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002F6ca7ac42-2e61-498a-b46e-1f6fbdb0dd65?source=api-prod",8,[22,23,24,25],"gutena-forms.php","includes\u002Fadmin\u002Fclass-create-store.php","includes\u002Fhandlers\u002Fclass-form-submit-handler.php","readme.txt","researched",false,3,"# Exploitation Research Plan: Gutena Forms Missing Authorization (CVE-2026-1753)\n\n## 1. Vulnerability Summary\nThe **Gutena Forms** plugin for WordPress is vulnerable to unauthorized settings updates due to missing capability checks in its administrative interfaces. Specifically, in versions prior to 1.6.1, certain functions responsible for updating global plugin settings (such as reCAPTCHA keys, Turnstile settings, and global form messages) are accessible to any authenticated user with **Contributor-level** permissions or higher. This occurs because the permission check (likely in the REST API or AJAX handlers) uses a weak capability like `edit_posts` instead of `manage_options`.\n\n## 2. Attack Vector Analysis\n- **Endpoint**: WordPress REST API endpoint `\u002Fwp-json\u002Fgutena-forms\u002Fv1\u002Fsettings`.\n- **Method**: `POST`\n- **Authentication**: Authenticated (Contributor+)\n- **Vulnerable Parameter**: The request body (JSON) containing settings keys to be updated.\n- **Payload**: A JSON object overwriting sensitive global options such as `gutena_forms_grecaptcha` or `gutena_forms_turnstile`.\n- **Preconditions**:\n    - The plugin version must be \u003C 1.6.1.\n    - An attacker must have credentials for a user with the `Contributor` role.\n\n## 3. Code Flow\n1. **Entry Point**: The plugin initializes its REST API in `gutena-forms.php` by including `includes\u002Frest-api\u002Fclass-rest-api.php`.\n2. **Registration**: Inside `class-rest-api.php` (referenced in `includes\u002Frest-api\u002Fclass-rest-api.php`), a route is registered: `register_rest_route('gutena-forms\u002Fv1', '\u002Fsettings', ...)`.\n3. **Weak Check**: The `permission_callback` for this route incorrectly uses `current_user_can('edit_posts')` or lacks a check entirely, allowing any user who can edit posts (Contributors and above) to pass the authorization phase.\n4. **Execution**: The callback function (e.g., `update_settings`) receives the JSON payload and calls `update_option()` for keys like `gutena_forms_grecaptcha` without further verification.\n5. **Sink**: `update_option()` in the WordPress database.\n\n## 4. Nonce Acquisition Strategy\nThe WordPress REST API requires a standard `wp_rest` nonce for `POST` requests from authenticated users.\n\n1. **Access Admin Context**: Even if a Contributor cannot see the Gutena Forms menu, they can access the standard post editor.\n2. **Navigate**: Use the browser to navigate to `\u002Fwp-admin\u002Fpost-new.php`.\n3. **Extract Nonce**: The standard WordPress REST API nonce is stored in the `window.wpApiSettings.nonce` variable.\n4. **JavaScript Tool**: \n   ```javascript\n   browser_eval(\"window.wpApiSettings.nonce\")\n   ```\n5. **Alternative**: If the plugin enqueues its own settings scripts, check `window.gutena_forms_admin?.nonce` (inferred).\n\n## 5. Exploitation Strategy\n### Step 1: Authentication\nLogin as a user with the **Contributor** role.\n\n### Step 2: Nonce Extraction\nNavigate to the post editor and extract the REST nonce.\n- **URL**: `\u002Fwp-admin\u002Fpost-new.php`\n- **Action**: Extract `window.wpApiSettings.nonce`.\n\n### Step 3: Malicious Settings Update\nSend a POST request to the REST API to update the reCAPTCHA settings.\n- **URL**: `\u002Fwp-json\u002Fgutena-forms\u002Fv1\u002Fsettings`\n- **Method**: `POST`\n- **Headers**:\n    - `Content-Type: application\u002Fjson`\n    - `X-WP-Nonce: [EXTRACTED_NONCE]`\n- **Body**:\n    ```json\n    {\n      \"gutena_forms_grecaptcha\": {\n        \"site_key\": \"PWNED_SITE_KEY\",\n        \"secret_key\": \"PWNED_SECRET_KEY\",\n        \"enabled\": \"1\"\n      }\n    }\n    ```\n\n### Step 4: Verification\nConfirm the setting was updated using WP-CLI.\n\n## 6. Test Data Setup\n1. **Target Version**: Ensure Gutena Forms v1.6.0 is installed.\n2. **User Creation**: Create a Contributor user:\n   ```bash\n   wp user create attacker attacker@example.com --role=contributor --user_pass=password123\n   ```\n3. **Optional**: Initialize the default settings if they don't exist:\n   ```bash\n   wp option add gutena_forms_grecaptcha '{\"site_key\": \"original\", \"secret_key\": \"original\"}' --format=json\n   ```\n\n## 7. Expected Results\n- The REST API should return a `200 OK` or `201 Created` response.\n- The response body should confirm the settings were updated.\n- The global `gutena_forms_grecaptcha` option in the database should now contain the attacker's values.\n\n## 8. Verification Steps\nAfter performing the HTTP request, use WP-CLI to verify the change:\n```bash\nwp option get gutena_forms_grecaptcha --format=json\n```\n**Success Condition**: The output shows `\"site_key\": \"PWNED_SITE_KEY\"`.\n\n## 9. Alternative Approaches\nIf the REST API route is different or disabled, check for an AJAX handler:\n- **Action**: `wp_ajax_gutena_forms_save_settings` (inferred).\n- **Endpoint**: `\u002Fwp-admin\u002Fadmin-ajax.php`.\n- **Parameters**: `action=gutena_forms_save_settings&security=[NONCE]&settings[gutena_forms_grecaptcha][site_key]=PWNED`.\n- **Nonce Source**: Search page source for `gutena_forms_admin` localization in `wp-admin\u002Fadmin.php?page=gutena-forms` (if accessible) or via block editor settings.\n\nAnother target option for verification:\n- **Option Name**: `gutena_forms_messages`\n- **Payload**: `{\"gutena_forms_messages\": {\"success\": \"Your site has been hacked!\"}}`","The Gutena Forms plugin for WordPress is vulnerable to unauthorized settings updates and arbitrary option overwrites due to missing capability checks and insufficient validation of user-controlled option keys. Authenticated attackers with Contributor-level permissions can exploit this by manipulating the formID parameter during form saving, allowing them to overwrite sensitive global options such as reCAPTCHA keys or site configuration.","\u002F\u002F gutena-forms.php (around line 465 in v1.6.0)\n\u002F\u002F filter for formSchema\n$formSchema_filtered = apply_filters( 'gutena_forms_save_form_schema', $formSchema, $formSchema['form_attrs']['formID'], $gutena_form_ids );\n\u002F\u002FSave form schema\nupdate_option(\n    sanitize_key( $formSchema['form_attrs']['formID'] ),\n    $this->sanitize_array( $formSchema_filtered, true )\n);","diff -ru \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fgutena-forms\u002F1.6.0\u002Fgutena-forms.php \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fgutena-forms\u002F1.6.1\u002Fgutena-forms.php\n--- \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fgutena-forms\u002F1.6.0\u002Fgutena-forms.php\t2026-01-21 04:25:20.000000000 +0000\n+++ \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fgutena-forms\u002F1.6.1\u002Fgutena-forms.php\t2026-02-17 07:05:32.000000000 +0000\n@@ -4,7 +4,7 @@\n  * Description:       Gutena Forms is the easiest way to create forms inside the WordPress block editor. Our plugin does not use jQuery and is lightweight, so you can rest assured that it won’t slow down your website. Instead, it allows you to quickly and easily create custom forms right inside the block editor.\n  * Requires at least: 6.5\n  * Requires PHP:      5.6\n- * Version:           1.6.0\n+ * Version:           1.6.1\n  * Author:            Gutena Forms\n  * Author URI:        https:\u002F\u002Fgutenaforms.com\n  * License:           GPL-2.0-or-later\n@@ -42,7 +42,44 @@\n  * Plugin version.\n  *\u002F\n if ( ! defined( 'GUTENA_FORMS_VERSION' ) ) {\n-\tdefine( 'GUTENA_FORMS_VERSION', '1.5.1' );\n+\tdefine( 'GUTENA_FORMS_VERSION', '1.6.1' );\n+}\n+\n+\u002F**\n+ * Option name prefix for form schema (security: prevents arbitrary option overwrite).\n+ *\u002F\n+if ( ! defined( 'GUTENA_FORMS_SCHEMA_OPTION_PREFIX' ) ) {\n+\tdefine( 'GUTENA_FORMS_SCHEMA_OPTION_PREFIX', 'gutena_forms_schema_' );\n+}\n+\n+if ( ! function_exists( 'gutena_forms_get_form_schema_option' ) ) {\n+\t\u002F**\n+\t * Get form schema option value. Checks non-prefixed first, then prefixed; if both exist, returns prefixed.\n+\t *\n+\t * @param string $form_id Form ID (option key).\n+\t * @param mixed  $default Default if neither option exists.\n+\t * @return mixed Form schema array or $default.\n+\t *\u002F\n+\tfunction gutena_forms_get_form_schema_option( $form_id, $default = false ) {\n+\t\t$form_id = sanitize_key( $form_id );\n+\t\tif ( '' === $form_id ) {\n+\t\t\treturn $default;\n+\t\t}\n+\t\t$non_prefixed = get_option( $form_id, null );\n+\t\t$prefixed     = get_option( GUTENA_FORMS_SCHEMA_OPTION_PREFIX . $form_id, null );\n+\t\t$has_non_prefixed = ( null !== $non_prefixed );\n+\t\t$has_prefixed     = ( null !== $prefixed );\n+\t\tif ( $has_non_prefixed && $has_prefixed ) {\n+\t\t\treturn $prefixed;\n+\t\t}\n+\t\tif ( $has_prefixed ) {\n+\t\t\treturn $prefixed;\n+\t\t}\n+\t\tif ( $has_non_prefixed ) {\n+\t\t\treturn $non_prefixed;\n+\t\t}\n+\t\treturn $default;\n+\t}\n }\n \n if ( ! function_exists( 'gutena_forms__fs' ) ) :\n@@ -463,9 +500,9 @@\n \t\t\t\t\t\t}\n \t\t\t\t\t\t\u002F\u002Ffilter for formSchema\n \t\t\t\t\t\t$formSchema_filtered = apply_filters( 'gutena_forms_save_form_schema', $formSchema, $formSchema['form_attrs']['formID'], $gutena_form_ids );\n-\t\t\t\t\t\t\u002F\u002FSave form schema\n+\t\t\t\t\t\t\u002F\u002FSave form schema (prefixed option name prevents arbitrary option overwrite)\n \t\t\t\t\t\tupdate_option(\n-\t\t\t\t\t\t\tsanitize_key( $formSchema['form_attrs']['formID'] ),\n+\t\t\t\t\t\t\tGUTENA_FORMS_SCHEMA_OPTION_PREFIX . sanitize_key( $formSchema['form_attrs']['formID'] ),\n \t\t\t\t\t\t\t$this->sanitize_array( $formSchema_filtered, true )\n \t\t\t\t\t\t);","1. Authenticate as a user with Contributor-level access or higher.\n2. Access the WordPress block editor (e.g., create a new post at `\u002Fwp-admin\u002Fpost-new.php`).\n3. Insert a Gutena Form block and observe the outgoing REST API or AJAX request used to save the form configuration.\n4. Intercept the save request and modify the `formID` attribute inside the `form_attrs` object to match a sensitive WordPress option name, such as `gutena_forms_grecaptcha` (to disrupt security) or `users_can_register` (to enable registration).\n5. Include the desired malicious value for that option in the `formSchema` payload.\n6. Submit the request; the server will execute `update_option()` using the attacker-supplied key, thereby overwriting the site setting because the capability check only verifies if the user can save posts (Contributor level), not manage global options.","gemini-3-flash-preview","2026-04-18 04:17:58","2026-04-18 04:18:47",{"type":38,"vulnerable_version":39,"fixed_version":11,"vulnerable_browse":40,"vulnerable_zip":41,"fixed_browse":42,"fixed_zip":43,"all_tags":44},"plugin","1.6.0","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fgutena-forms\u002Ftags\u002F1.6.0","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fgutena-forms.1.6.0.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fgutena-forms\u002Ftags\u002F1.6.1","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fgutena-forms.1.6.1.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fgutena-forms\u002Ftags"]