CVE-2026-1674 is a vulnerability classified under CWE-862 (Missing Authorization) found in the Gutena Forms plugin for WordPress, which includes Contact Form, Survey Form, Feedback Form, Booking Form, and Custom Form Builder functionalities. The root cause is the absence of proper authorization checks in the save_gutena_forms_schema() function, which processes and saves form schema data. This flaw allows any authenticated user with at least Contributor-level privileges to update WordPress option values to structured array data. Such unauthorized modifications can be weaponized to alter site behavior, for example, enabling user registration when it is explicitly disabled or triggering errors that cause denial of service conditions. The vulnerability affects all plugin versions up to and including 1.6.0. The CVSS v3.1 score is 6.5 (medium severity), reflecting that the attack vector is network-based, requires low attack complexity, and privileges at the Contributor level, with no user interaction needed. The impact is primarily on integrity and availability, with no direct confidentiality loss. No public exploits have been reported yet, but the vulnerability poses a risk due to the widespread use of WordPress and the plugin. The lack of patch links suggests that a fix may not yet be available, emphasizing the need for interim mitigations.

The vulnerability allows authenticated users with Contributor-level access or higher to modify critical site options, potentially leading to unauthorized site configuration changes and denial of service. This can disrupt normal site operations, degrade user experience, and undermine trust in the affected websites. Enabling user registration when it is supposed to be disabled could lead to spam registrations or unauthorized account creation, increasing the attack surface for further exploitation. Denial of service caused by site errors can result in downtime, impacting business continuity and potentially causing financial and reputational damage. Since WordPress powers a significant portion of the web, and Gutena Forms is a popular plugin, the scope of affected systems is broad. Organizations relying on this plugin without proper access controls or patching are at risk. The vulnerability does not expose confidential data directly but compromises site integrity and availability, which can have cascading effects on overall security posture.

1. Immediately restrict Contributor-level and higher user roles to trusted personnel only, minimizing the risk of exploitation. 2. Monitor and audit changes to WordPress option values, especially those related to user registration and site configuration, to detect unauthorized modifications. 3. Implement a Web Application Firewall (WAF) with custom rules to detect and block suspicious requests targeting the save_gutena_forms_schema() function or related endpoints. 4. Disable or limit the Gutena Forms plugin functionality temporarily if patching is not yet available, especially on high-risk or public-facing sites. 5. Regularly back up site configurations and databases to enable quick recovery in case of denial of service or configuration tampering. 6. Follow the plugin vendor’s updates closely and apply patches as soon as they are released. 7. Employ the principle of least privilege for WordPress user roles, ensuring users have only the permissions necessary for their tasks. 8. Conduct penetration testing focusing on role-based access control to identify similar authorization weaknesses.