Gutena Forms < 1.6.1 – Contributor+ Arbitrary Limited Options Update | CVE 2026-1753 | Plugin Vulnerabilities

Description

The plugin does not validate option to be updated, which could allow contributors and above role to update arbitrary boolean and array options (such as users_can_register).

Proof of Concept

As a contributor, add the following code in a post while in code editor mode:

<!-- wp:gutena/forms {"formID":"users_can_register"} /-->

This will set the users_can_register to 1

Affects Plugins

Fixed in 1.6.1

References

CVE

Classification

Type

IDOR

OWASP top 10

A5: Broken Access Control

CWE

CVSS

Miscellaneous

Original Researcher

yiğit ibrahim sağlam

Submitter

yiğit ibrahim sağlam

Submitter website

https://ibrahimsql.com

Submitter twitter

Verified

Yes

WPVDB ID

c42dbab9-b729-4748-88e5-0bd2f6d66e3d

Timeline

Publicly Published

2026-02-18 (about 21 days ago)

Added

2026-02-18 (about 20 days ago)

Last Updated

2026-02-18 (about 20 days ago)

Other

Published

Title

Published

2025-02-12

Title

DethemeKit For Elementor < 2.1.9 - Authenticated (Contributor+) Protected Post Disclosure

Published

2025-12-14

Title

Essential Real Estate <= 5.2.2 - Authenticated (ERE Customer+) Insecure Direct Object Reference

Published

2024-12-24

Title

Avada Builder < 3.11.13 - Authenticated (Contributor+) Protected Post Disclosure

Published

2023-09-25

Title

ActivityPub for WordPress < 1.0.0 - Subscriber+ Arbitrary Post Title Disclosure

Published

2025-02-06

Title

Builder Shortcode Extras – WordPress Shortcodes Collection to Save You Time <= 1.0.0 - Authenticated (Contributor+) Post Disclosure