Description
The GSheetConnector For Ninja Forms plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the 'njform-google-sheet-config ' page in all versions up to, and including, 2.0.1. This makes it possible for authenticated attackers, with Subscriber-level access and above, to retrieve information about the system.
Published: 2025-11-22
Score: 4.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: System Information Exposure
Action: Patch
AI Analysis

Impact

The GSheetConnector For Ninja Forms plugin contains a missing capability check on the 'njform-google-sheet-config' page. As a result, any authenticated user with Subscriber-level access or higher can retrieve privileged system data. The flaw falls under CWE-862, reflecting an authorization weakness that may expose sensitive configuration information.

Affected Systems

The vulnerability affects the westerndeal GSheetConnector For Ninja Forms plugin for WordPress. All released versions up to and including 2.0.1 are impacted. WordPress users with this plugin installed should verify their plugin version and update as soon as possible.

Risk and Exploitability

The CVSS base score is 4.3, indicating a moderate impact. The EPSS value of less than 1% suggests a low likelihood of exploitation at present, and the vulnerability is not listed in the CISA KEV catalog. The attack vector is inferred to be local or authenticated, requiring the attacker to be logged into the site with at least Subscriber privileges to access the vulnerable configuration page.

Generated by OpenCVE AI on April 21, 2026 at 18:02 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the GSheetConnector For Ninja Forms plugin to the newest available version (2.0.2 or later) to remove the missing capability check.
  • If an update is not yet released, modify the plugin’s capability assignment for the 'njform-google-sheet-config' endpoint to require at least Editor or higher privileges.
  • As a temporary workaround, block or delete the 'njform-google-sheet-config' page from the public or subscriber‑level navigation so that only authorized administrators can reach it.

Generated by OpenCVE AI on April 21, 2026 at 18:02 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 24 Nov 2025 20:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 24 Nov 2025 09:15:00 +0000

Type Values Removed Values Added
First Time appeared Westerndeal
Westerndeal gsheetconnector For Ninja Forms
Wordpress
Wordpress wordpress
Vendors & Products Westerndeal
Westerndeal gsheetconnector For Ninja Forms
Wordpress
Wordpress wordpress

Sat, 22 Nov 2025 08:45:00 +0000

Type Values Removed Values Added
Description The GSheetConnector For Ninja Forms plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the 'njform-google-sheet-config ' page in all versions up to, and including, 2.0.1. This makes it possible for authenticated attackers, with Subscriber-level access and above, to retrieve information about the system.
Title GSheetConnector For Ninja Forms <= 2.0.1 - Missing Authorization to Authenticated (Subscriber+) System Information Exposure
Weaknesses CWE-862
References
Metrics cvssV3_1

{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N'}

Subscriptions

Westerndeal Gsheetconnector For Ninja Forms
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T16:54:22.586Z

Reserved: 2025-11-13T18:31:39.205Z

Link: CVE-2025-13136

cve-icon Vulnrichment

Updated: 2025-11-24T19:34:13.503Z

cve-icon NVD

Status : Deferred

Published: 2025-11-22T09:15:42.747

Modified: 2026-04-15T00:35:42.020

Link: CVE-2025-13136

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-21T18:15:36Z

Weaknesses