CVE-2025-62099

2025-12-31 [email protected]

Lifecycle Timeline

2
Analysis Generated
Apr 01, 2026 - 17:44 vuln.today
CVE Published
Dec 31, 2025 - 17:15 nvd
N/A

Tags

WordPress PHP Authentication Bypass

Description

Missing Authorization vulnerability in approveme Signature Add-On for Gravity Forms gravity-signature-forms-add-on allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Signature Add-On for Gravity Forms: from n/a through <= 1.8.6.

Analysis

The Signature Add-On for Gravity Forms plugin (version 1.8.6 and earlier) contains a missing authorization vulnerability that allows attackers to bypass access controls and exploit incorrectly configured security levels. The vulnerability stems from improper implementation of authorization checks, enabling unauthorized users to access protected functionality or data that should be restricted based on user roles and permissions. This authentication bypass affects WordPress installations using the vulnerable plugin versions and is tracked as CWE-862 (Missing Authorization).

Technical Context

The vulnerability is rooted in CWE-862 (Missing Authorization), a class of flaw where an application fails to properly verify that a user has the required permissions before granting access to sensitive operations or data. In this case, the Signature Add-On for Gravity Forms plugin does not adequately enforce access control checks when processing signature-related operations within Gravity Forms. Gravity Forms is a popular WordPress form builder plugin, and the Signature Add-On extends its functionality to support digital signature capture. The affected component likely fails to validate user roles, capabilities, or other authorization attributes before allowing users to view, edit, or process signature data or form submissions. The vulnerability may manifest as insufficient capability checking in WordPress actions/filters, missing nonce verification, or direct access to administrative functions without proper permission validation.

Affected Products

The vulnerability affects the Signature Add-On for Gravity Forms plugin (also referenced as gravity-signature-forms-add-on) in version 1.8.6 and all earlier versions. The plugin extends the Gravity Forms functionality to add digital signature capture capabilities to WordPress forms. Affected WordPress installations are those running this plugin up to and including version 1.8.6. The vulnerability was identified and reported by [email protected] through their vulnerability database.

Remediation

Immediately upgrade the Signature Add-On for Gravity Forms plugin to a patched version newer than 1.8.6. Check the plugin's official repository or vendor advisory at https://patchstack.com/database/Wordpress/Plugin/gravity-signature-forms-add-on/vulnerability/wordpress-signature-add-on-for-gravity-forms-plugin-1-8-6-broken-access-control-vulnerability for the exact patched version number and installation instructions. If an immediate upgrade is not feasible, disable the Signature Add-On for Gravity Forms plugin until a patch can be applied, as the missing authorization checks pose a direct risk to form submission data integrity and access control. Additionally, review access control configurations on any forms using the signature functionality and audit recent form submissions and signature data for unauthorized access.

Priority Score

0
Low Medium High Critical
KEV: 0
EPSS: +0.0
CVSS: +0
POC: 0

Share

CVE-2025-62099 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy