Skip to main content

GravityView CVE-2026-57665

| EUVDEUVD-2026-39670 MEDIUM
Authorization Bypass Through User-Controlled Key (CWE-639)
2026-06-26 audit@patchstack.com GHSA-2rwg-7jf4-q7mq
5.3
CVSS 3.1 · Vendor: patchstack
Share

Severity by source

Vendor (patchstack) PRIMARY
5.3 MEDIUM
AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
vuln.today AI
5.3 MEDIUM

Network-reachable IDOR with no authentication required (PR:N) exposing read-only entry data (C:L); no integrity or availability impact applies.

3.1 AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
4.0 AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N

Primary rating from Vendor (patchstack).

CVSS VectorVendor: patchstack

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
Low
Integrity
None
Availability
None

Lifecycle Timeline

1
Analysis Generated
Jun 26, 2026 - 16:07 vuln.today

DescriptionCVE.org

Unauthenticated Insecure Direct Object References (IDOR) in GravityView <= 3.0.0 versions.

AnalysisAI

Unauthenticated IDOR in GravityView WordPress plugin (≤ 3.0.0) allows remote attackers to bypass object-level authorization and access form entry data belonging to other users without any credentials or interaction. The CVSS vector (AV:N/AC:L/PR:N/UI:N) confirms exploitation is trivially reachable over the network with no prerequisites beyond the plugin being active and a view being publicly rendered. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Identify WordPress site running GravityView ≤ 3.0.0
Delivery
Locate publicly accessible GravityView View URL
Exploit
Send crafted HTTP request with manipulated entry ID parameter
Execution
Bypass object-level authorization check
Impact
Retrieve unauthorized Gravity Forms entry data

Vulnerability AssessmentAI

Exploitation GravityView plugin version 3.0.0 or earlier must be installed and active on the WordPress instance. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 3.1 score of 5.3 (Medium) with vector AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N accurately reflects a network-reachable, zero-authentication flaw with limited confidentiality impact and no integrity or availability consequences. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An unauthenticated remote attacker identifies a WordPress site running GravityView ≤ 3.0.0 with at least one publicly accessible View. The attacker sends crafted HTTP requests manipulating the entry ID or similar reference parameter to enumerate form entries sequentially, retrieving records submitted by other users without any credentials. …
Remediation Update GravityView to a version above 3.0.0 via the WordPress plugin dashboard or the WordPress plugin repository. … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-57665 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy