Description
The Gutena Forms WordPress plugin before 1.6.1 does not validate option to be updated, which could allow contributors and above role to update arbitrary boolean and array options (such as users_can_register).
Published: 2026-03-11
Score: 6.8 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Configuration Modification
Action: Patch Now
AI Analysis

Impact

The vulnerability in the Gutena Forms WordPress plugin allows a user with a contributor or higher role to modify any boolean or array option, such as users_can_register, without any validation. This unexpected capability can change site configuration and affect how the website behaves, potentially granting the attacker the ability to alter user registration, permission settings, and other core functionalities. The weakness is a role‑based access control flaw, identified as CWE‑639.

Affected Systems

The issue affects the Gutena Forms plugin for WordPress on all versions prior to 1.6.1. The vendor is listed as Gutena Forms, and any installation of this plugin where a contributor or higher user is present is at risk. No further version details are provided beyond the 1.6.1 threshold.

Risk and Exploitability

The CVSS score of 6.8 signals a moderate risk, while the EPSS score of less than 1% indicates a low probability of exploitation in the wild. The vulnerability is not listed in CISA’s KEV catalog. Because the attacker requires an authenticated account with contributor or higher privileges, the attack vector is local and depends on existing internal access. An attacker could exploit the flaw by using the plugin’s settings interface to flip boolean switches or replace array options, thereby altering site behavior or escalating privileges.

Generated by OpenCVE AI on March 17, 2026 at 15:00 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update Gutena Forms to version 1.6.1 or later

Generated by OpenCVE AI on March 17, 2026 at 15:00 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 12 Mar 2026 10:15:00 +0000

Type Values Removed Values Added
First Time appeared Gutena Forms
Gutena Forms gutena Forms
Wordpress
Wordpress wordpress
Vendors & Products Gutena Forms
Gutena Forms gutena Forms
Wordpress
Wordpress wordpress

Wed, 11 Mar 2026 14:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-639
Metrics cvssV3_1

{'score': 6.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:N/I:H/A:N'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 11 Mar 2026 06:15:00 +0000

Type Values Removed Values Added
Description The Gutena Forms WordPress plugin before 1.6.1 does not validate option to be updated, which could allow contributors and above role to update arbitrary boolean and array options (such as users_can_register).
Title Gutena Forms < 1.6.1 - Contributor+ Arbitrary Limited Options Update
References

Subscriptions

Gutena Forms Gutena Forms
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: WPScan

Published:

Updated: 2026-03-11T13:46:58.114Z

Reserved: 2026-02-02T09:47:03.130Z

Link: CVE-2026-1753

cve-icon Vulnrichment

Updated: 2026-03-11T13:43:32.832Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-03-11T06:17:13.273

Modified: 2026-03-11T14:16:17.287

Link: CVE-2026-1753

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-20T14:37:48Z

Weaknesses