CVE-2025-66079

Vulnerability

Overview The Gutenverse Form plugin for WordPress, developed by Jegstudio, contains a missing authorization vulnerability in versions up to and including 2.2.0. This flaw is classified as a Broken Access Control issue, meaning the plugin fails to properly verify user permissions or nonce tokens before executing certain functions, allowing unauthenticated or low-privileged users to perform actions intended for higher-privileged roles [1].

Exploitation

Prerequisites No special authentication or network position is required; an attacker can exploit this vulnerability remotely without any prerequisites. The broken access control mechanism can be triggered by sending crafted requests to the plugin's endpoints, effectively bypassing security checks that should restrict functionality to authorized users [1].

Impact

Successful exploitation could allow an attacker to perform actions reserved for administrators, such as altering form configurations, accessing sensitive data, or executing other unintended operations. This vulnerability is particularly concerning as it may be used in mass-exploit campaigns targeting thousands of WordPress sites, regardless of their popularity or traffic [1].

Mitigation

Status The vendor has released version 2.3.0, which patches the authorization flaw. Users are strongly advised to update immediately. If updating is not possible, consult with a hosting provider or web developer for temporary mitigations. Patchstack users can enable auto-updates to protect affected plugins [1].