CVE-2026-1753 PUBLISHED

Gutena Forms < 1.6.1 - Contributor+ Arbitrary Limited Options Update

Assigner: WPScan
Reserved: 02.02.2026 Published: 11.03.2026 Updated: 11.03.2026

The Gutena Forms WordPress plugin before 1.6.1 does not validate option to be updated, which could allow contributors and above role to update arbitrary boolean and array options (such as users_can_register).

Product Status

Vendor	Unknown
Product	Gutena Forms
Versions	Default: unaffected affected from 0 to 1.6.1 (excl.)

Credits

yiğit ibrahim sağlam finder
WPScan coordinator

References

https://wpscan.com/vulnerability/c42dbab9-b729-4748-88e5-0bd2f6d66e3d/

Problem Types

CWE-639 Authorization Bypass Through User-Controlled Key CWE