{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-1753", "assignerOrgId": "1bfdd5d7-9bf6-4a53-96ea-42e2716d7a81", "state": "PUBLISHED", "assignerShortName": "WPScan", "dateReserved": "2026-02-02T09:47:03.130Z", "datePublished": "2026-03-11T06:00:03.165Z", "dateUpdated": "2026-03-11T13:46:58.114Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "1bfdd5d7-9bf6-4a53-96ea-42e2716d7a81", "shortName": "WPScan", "dateUpdated": "2026-03-11T06:00:03.165Z"}, "title": "Gutena Forms < 1.6.1 - Contributor+ Arbitrary Limited Options Update", "problemTypes": [{"descriptions": [{"description": "CWE-639 Authorization Bypass Through User-Controlled Key", "lang": "en", "type": "CWE"}]}], "affected": [{"vendor": "Unknown", "product": "Gutena Forms", "versions": [{"status": "affected", "versionType": "semver", "version": "0", "lessThan": "1.6.1"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The Gutena Forms WordPress plugin before 1.6.1 does not validate option to be updated, which could allow contributors and above role to update arbitrary boolean and array options (such as users_can_register)."}], "references": [{"url": "https://wpscan.com/vulnerability/c42dbab9-b729-4748-88e5-0bd2f6d66e3d/", "tags": ["exploit", "vdb-entry", "technical-description"]}], "credits": [{"lang": "en", "value": "yi\u011fit ibrahim sa\u011flam", "type": "finder"}, {"lang": "en", "value": "WPScan", "type": "coordinator"}], "source": {"discovery": "EXTERNAL"}, "x_generator": {"engine": "WPScan CVE Generator"}}, "adp": [{"problemTypes": [{"descriptions": [{"type": "CWE", "cweId": "CWE-639", "lang": "en", "description": "CWE-639 Authorization Bypass Through User-Controlled Key"}]}], "metrics": [{"cvssV3_1": {"scope": "CHANGED", "version": "3.1", "baseScore": 6.8, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:N/I:H/A:N", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "HIGH", "confidentialityImpact": "NONE"}}, {"other": {"type": "ssvc", "content": {"timestamp": "2026-03-11T13:44:58.202429Z", "id": "CVE-2026-1753", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-11T13:46:58.114Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"cvssV3_1": {"scope": "CHANGED", "version": "3.1", "baseScore": 6.8, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:N/I:H/A:N", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "HIGH", "confidentialityImpact": "NONE"}}, {"other": {"type": "ssvc", "content": {"id": "CVE-2026-1753", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-03-11T13:44:58.202429Z"}}}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-639", "description": "CWE-639 Authorization Bypass Through User-Controlled Key"}]}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-11T13:43:32.832Z"}}], "cna": {"title": "Gutena Forms < 1.6.1 - Contributor+ Arbitrary Limited Options Update", "source": {"discovery": "EXTERNAL"}, "credits": [{"lang": "en", "type": "finder", "value": "yi\u011fit ibrahim sa\u011flam"}, {"lang": "en", "type": "coordinator", "value": "WPScan"}], "affected": [{"vendor": "Unknown", "product": "Gutena Forms", "versions": [{"status": "affected", "version": "0", "lessThan": "1.6.1", "versionType": "semver"}], "defaultStatus": "unaffected"}], "references": [{"url": "https://wpscan.com/vulnerability/c42dbab9-b729-4748-88e5-0bd2f6d66e3d/", "tags": ["exploit", "vdb-entry", "technical-description"]}], "x_generator": {"engine": "WPScan CVE Generator"}, "descriptions": [{"lang": "en", "value": "The Gutena Forms WordPress plugin before 1.6.1 does not validate option to be updated, which could allow contributors and above role to update arbitrary boolean and array options (such as users_can_register)."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "description": "CWE-639 Authorization Bypass Through User-Controlled Key"}]}], "providerMetadata": {"orgId": "1bfdd5d7-9bf6-4a53-96ea-42e2716d7a81", "shortName": "WPScan", "dateUpdated": "2026-03-11T06:00:03.165Z"}}}, "cveMetadata": {"cveId": "CVE-2026-1753", "state": "PUBLISHED", "dateUpdated": "2026-03-11T13:46:58.114Z", "dateReserved": "2026-02-02T09:47:03.130Z", "assignerOrgId": "1bfdd5d7-9bf6-4a53-96ea-42e2716d7a81", "datePublished": "2026-03-11T06:00:03.165Z", "assignerShortName": "WPScan"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "The Gutena Forms WordPress plugin before 1.6.1 does not validate option to be updated, which could allow contributors and above role to update arbitrary boolean and array options (such as users_can_register)."}, {"lang": "es", "value": "El plugin de WordPress Gutena Forms anterior a 1.6.1 no valida la opci\u00f3n a actualizar, lo que podr\u00eda permitir a roles de colaborador y superiores actualizar opciones booleanas y de array arbitrarias (como users_can_register)."}], "id": "CVE-2026-1753", "lastModified": "2026-04-15T15:05:47.827", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.8, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "HIGH", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:N/I:H/A:N", "version": "3.1"}, "exploitabilityScore": 2.3, "impactScore": 4.0, "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}, "published": "2026-03-11T06:17:13.273", "references": [{"source": "contact@wpscan.com", "url": "https://wpscan.com/vulnerability/c42dbab9-b729-4748-88e5-0bd2f6d66e3d/"}], "sourceIdentifier": "contact@wpscan.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-639"}], "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,1.6.1)"}}], "enrichment": {"confidence": 95.0, "confidence_source": "inferred", "scores": [{"score": 95.0, "source": "inferred"}]}, "product": "gutena_forms", "vendor": "gutena_forms"}, {"configurations": [{"platform": null, "status": "unaffected", "versions": null}], "enrichment": {"confidence": 80.0, "confidence_source": "inferred", "scores": [{"score": 80.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "product": "wordpress", "vendor": "wordpress"}], "analysis": {"en": {"generated_at": "2026-03-17T15:00:13.286254+00:00", "value": {"mitigation_remediation": ["Update Gutena Forms to version 1.6.1 or later"], "summary": {"action": "Patch Now", "impact": "Configuration Modification"}, "threat_synthesis": {"affected_systems": "The issue affects the Gutena Forms plugin for WordPress on all versions prior to 1.6.1. The vendor is listed as Gutena Forms, and any installation of this plugin where a contributor or higher user is present is at risk. No further version details are provided beyond the 1.6.1 threshold.", "description_and_impact": "The vulnerability in the Gutena Forms WordPress plugin allows a user with a contributor or higher role to modify any boolean or array option, such as users_can_register, without any validation. This unexpected capability can change site configuration and affect how the website behaves, potentially granting the attacker the ability to alter user registration, permission settings, and other core functionalities. The weakness is a role\u2011based access control flaw, identified as CWE\u2011639.", "risk_and_exploitability": "The CVSS score of 6.8 signals a moderate risk, while the EPSS score of less than 1% indicates a low probability of exploitation in the wild. The vulnerability is not listed in CISA\u2019s KEV catalog. Because the attacker requires an authenticated account with contributor or higher privileges, the attack vector is local and depends on existing internal access. An attacker could exploit the flaw by using the plugin\u2019s settings interface to flip boolean switches or replace array options, thereby altering site behavior or escalating privileges."}}}}, "created": "2026-03-12T10:06:27.208061+00:00", "updated": "2026-03-20T14:37:48.148488+00:00", "vendors": ["gutena_forms", "gutena_forms$PRODUCT$gutena_forms", "wordpress", "wordpress$PRODUCT$wordpress"]}