Description
Unauthenticated Insecure Direct Object References (IDOR) in GravityView <= 3.0.0 versions.
Published: 2026-06-26
Score: 5.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The GravityView plugin, when at or below version 3.0.0, contains unauthenticated insecure direct object references that allow an attacker to obtain submission data they should not be able to access. This weakness corresponds to CWE‑639 and can lead to confidentiality violations by exposing user‑submitted information. Attackers do not need any authentication to exploit this flaw, giving it a moderate level of severity but a realistic possibility of exploitation in environments where the plugin is exposed to the internet.

Affected Systems

Any WordPress installation hosting the GravityKit:GravityView plugin version 3.0.0 or earlier is affected. The flaw applies to all instances of the plugin regardless of site configuration, as long as the vulnerable version remains installed.

Risk and Exploitability

The CVSS score of 5.3 indicates a moderate impact scenario. No EPSS score is available, and the vulnerability is not listed in CISA's KEV catalog. Exploitation requires an attacker to request a GravityView URL that references a record ID; the absence of access checks allows arbitrary retrieval of submission data. Because authentication is not required, any visitor to the site can potentially exploit the vulnerability, and the attack vector is likely via simple crafted URLs or automated scanning tools.

Generated by OpenCVE AI on June 26, 2026 at 17:35 UTC.

Remediation

Vendor Solution

Update the WordPress GravityView Plugin to the latest available version (at least 3.0.1).

OpenCVE Recommended Actions

  • Update the GravityView plugin to version 3.0.1 or later.
  • Configure GravityView permissions so that only authorized user roles can view form submissions.
  • Deploy a web application firewall rule that detects and blocks pattern requests to GravityView IDs, such as numeric query parameters that expose record identifiers.

Generated by OpenCVE AI on June 26, 2026 at 17:35 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 26 Jun 2026 16:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 26 Jun 2026 15:15:00 +0000

Type Values Removed Values Added
Description Unauthenticated Insecure Direct Object References (IDOR) in GravityView <= 3.0.0 versions.
Title WordPress GravityView plugin <= 3.0.0 - Insecure Direct Object References (IDOR) vulnerability
Weaknesses CWE-639
References
Metrics cvssV3_1

{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-06-26T15:36:30.894Z

Reserved: 2026-06-25T08:03:29.942Z

Link: CVE-2026-57665

cve-icon Vulnrichment

Updated: 2026-06-26T15:36:26.784Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-26T17:45:03Z

Weaknesses
  • CWE-639

    Authorization Bypass Through User-Controlled Key