CVE-2025-62099

Vulnerability

Overview The Signature Add-On for Gravity Forms plugin for WordPress (versions up to 1.8.6) suffers from a missing authorization vulnerability. This flaw allows attackers to exploit incorrectly configured access control security levels, potentially enabling unauthorized actions without proper authentication.

Exploitation

Attackers can exploit this vulnerability remotely without requiring special access, as it stems from missing authorization checks in the plugin's functions. The attack surface is broad, as it affects any WordPress site using the vulnerable plugin version. Since the vulnerability is used in mass-exploit campaigns, it can be targeted at thousands of sites simultaneously [1].

Impact

Successful exploitation allows an attacker to perform actions reserved for higher-privileged users, such as modifying settings or accessing sensitive data. This could lead to partial compromise of the site's functionality or data integrity, with a CVSS score of 4.3 (medium severity).

Mitigation

The vulnerability is patched in version 1.8.7 of the plugin, released to address the broken access control issue. Users are strongly advised to update immediately. If unable to update, contacting a hosting provider or web developer for assistance is recommended [1].