Skip to main content

CVE-2025-62099

MEDIUM
Missing Authorization (CWE-862)
2025-12-31 audit@patchstack.com
4.3
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
4.3 MEDIUM
AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
Low
Availability
None

Lifecycle Timeline

3
CVSS changed
Apr 23, 2026 - 15:43 NVD
4.3 (MEDIUM)
Analysis Generated
Apr 01, 2026 - 17:44 vuln.today
CVE Published
Dec 31, 2025 - 17:15 nvd
N/A

DescriptionCVE.org

Missing Authorization vulnerability in approveme Signature Add-On for Gravity Forms gravity-signature-forms-add-on allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Signature Add-On for Gravity Forms: from n/a through <= 1.8.6.

AnalysisAI

The Signature Add-On for Gravity Forms plugin (version 1.8.6 and earlier) contains a missing authorization vulnerability that allows attackers to bypass access controls and exploit incorrectly configured security levels. The vulnerability stems from improper implementation of authorization checks, enabling unauthorized users to access protected functionality or data that should be restricted based on user roles and permissions. This authentication bypass affects WordPress installations using the vulnerable plugin versions and is tracked as CWE-862 (Missing Authorization).

Technical ContextAI

The vulnerability is rooted in CWE-862 (Missing Authorization), a class of flaw where an application fails to properly verify that a user has the required permissions before granting access to sensitive operations or data. In this case, the Signature Add-On for Gravity Forms plugin does not adequately enforce access control checks when processing signature-related operations within Gravity Forms. Gravity Forms is a popular WordPress form builder plugin, and the Signature Add-On extends its functionality to support digital signature capture. The affected component likely fails to validate user roles, capabilities, or other authorization attributes before allowing users to view, edit, or process signature data or form submissions. The vulnerability may manifest as insufficient capability checking in WordPress actions/filters, missing nonce verification, or direct access to administrative functions without proper permission validation.

Affected ProductsAI

The vulnerability affects the Signature Add-On for Gravity Forms plugin (also referenced as gravity-signature-forms-add-on) in version 1.8.6 and all earlier versions. The plugin extends the Gravity Forms functionality to add digital signature capture capabilities to WordPress forms. Affected WordPress installations are those running this plugin up to and including version 1.8.6. The vulnerability was identified and reported by audit@patchstack.com through their vulnerability database.

RemediationAI

Immediately upgrade the Signature Add-On for Gravity Forms plugin to a patched version newer than 1.8.6. Check the plugin's official repository or vendor advisory at https://patchstack.com/database/Wordpress/Plugin/gravity-signature-forms-add-on/vulnerability/wordpress-signature-add-on-for-gravity-forms-plugin-1-8-6-broken-access-control-vulnerability for the exact patched version number and installation instructions. If an immediate upgrade is not feasible, disable the Signature Add-On for Gravity Forms plugin until a patch can be applied, as the missing authorization checks pose a direct risk to form submission data integrity and access control. Additionally, review access control configurations on any forms using the signature functionality and audit recent form submissions and signature data for unauthorized access.

Share

CVE-2025-62099 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy