Attack Vectors

CVE-2026-1674 is a Medium severity vulnerability (CVSS 6.5) affecting the WordPress plugin Gutena Forms – Contact Form, Survey Form, Feedback Form, Booking Form, and Custom Form Builder (slug: gutena-forms) in versions 1.6.0 and earlier.

The attack requires an authenticated WordPress user with Contributor-level access or higher. In practical business terms, this can include staff accounts, contractor accounts, agency accounts, or any user whose credentials are stolen through phishing, password reuse, or another compromise. Because it is network-reachable and does not require user interaction, it can be exploited quickly once an attacker has a valid login.

Security Weakness

The core issue is missing authorization in the plugin’s save_gutena_forms_schema() function, which can allow a logged-in user (Contributor+) to perform unauthorized modification of site data.

Specifically, the vulnerability can allow attackers to update WordPress option values to a structured array value. This matters because WordPress “options” often store settings that influence site behavior. When those values are changed improperly, it can lead to operational disruption and hard-to-diagnose errors.

Technical or Business Impacts

The most immediate risk described is that an attacker can change an option in a way that creates errors and denies service to legitimate users. For marketing and business teams, that can translate into downtime during campaigns, broken lead-capture forms, reduced conversion rates, and reputational impact if customers see an unstable site.

From a governance and compliance perspective, the vulnerability also creates a change-control and integrity risk: settings may be altered without proper authorization. That can complicate audits, incident response, and accountability—especially on sites where multiple people have Contributor access to publish content.

Recommended remediation: update Gutena Forms to version 1.6.1 or newer (patched). Consider also reviewing which users truly need Contributor access and tightening account security (unique passwords and MFA) to reduce the likelihood of an authenticated attacker reaching this function.

Reference: CVE-2026-1674 record and the original advisory source from Wordfence: Wordfence vulnerability entry.

Similar Attacks

WordPress plugin vulnerabilities are frequently leveraged to disrupt operations or gain deeper access when a site has outdated components. Real-world examples include:

WP File Manager plugin vulnerability (Wordfence, 2020)
RevSlider (Slider Revolution) compromise wave (Sucuri, 2014)
WP GDPR Compliance plugin 0-day exploited in the wild (Wordfence, 2018)