Description
Deserialization of Untrusted Data vulnerability in raoinfotech GSheets Connector sheetlink allows Object Injection.This issue affects GSheets Connector: from n/a through <= 1.1.1.
Published: 2025-09-22
Score: 7.2 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability resides in raoinfotech’s GSheets Connector for WordPress, where untrusted data is deserialized without proper validation, enabling PHP object injection. An attacker who can supply crafted data may instantiate arbitrary PHP objects, leading to execution of malicious code, data exfiltration, or modification of system files. This results in loss of confidentiality, integrity, and potential availability due to background tasks or configuration changes.

Affected Systems

Affected installations include all versions of GSheets Connector up to and including 1.1.1 deployed on a WordPress site. The product is distributed by raoinfotech and is commonly used to sync spreadsheets with WordPress. Any site running a vulnerable version is exposed.

Risk and Exploitability

According to the CVSS score of 7.2, the flaw is considered high severity, though the EPSS score indicates a low exploitation probability (<1%) and the issue is not listed in CISA’s KEV catalog. The likely attack vector is an HTTP request to a plugin endpoint that accepts serialized data, which an attacker can manipulate from an external web request. While the vulnerability is not active in KEV, the remote code execution potential warrants prioritizing remediation.

Generated by OpenCVE AI on April 30, 2026 at 15:03 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply any available update from raoinfotech that addresses the deserialization flaw.
  • If no update is available, deactivate or uninstall the GSheets Connector plugin to eliminate the vulnerable component.
  • After remediation, scan the WordPress instance for any remnants of the plugin configuration and monitor for anomalous outbound connections that could indicate exploitation.

Generated by OpenCVE AI on April 30, 2026 at 15:03 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-30726 Deserialization of Untrusted Data vulnerability in raoinfotech GSheets Connector allows Object Injection. This issue affects GSheets Connector: from n/a through 1.1.1.
History

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 7.2, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H'}

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Description Deserialization of Untrusted Data vulnerability in raoinfotech GSheets Connector allows Object Injection. This issue affects GSheets Connector: from n/a through 1.1.1. Deserialization of Untrusted Data vulnerability in raoinfotech GSheets Connector sheetlink allows Object Injection.This issue affects GSheets Connector: from n/a through <= 1.1.1.
References
Metrics cvssV3_1

{'score': 7.2, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H'}

Tue, 23 Sep 2025 16:15:00 +0000

Type Values Removed Values Added
First Time appeared Wordpress
Wordpress wordpress
Vendors & Products Wordpress
Wordpress wordpress

Tue, 23 Sep 2025 14:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Mon, 22 Sep 2025 18:45:00 +0000

Type Values Removed Values Added
Description Deserialization of Untrusted Data vulnerability in raoinfotech GSheets Connector allows Object Injection. This issue affects GSheets Connector: from n/a through 1.1.1.
Title WordPress GSheets Connector Plugin <= 1.1.1 - PHP Object Injection Vulnerability
Weaknesses CWE-502
References
Metrics cvssV3_1

{'score': 7.2, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H'}

Subscriptions

Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T16:13:25.831Z

Reserved: 2025-06-30T10:46:37.789Z

Link: CVE-2025-53465

cve-icon Vulnrichment

Updated: 2025-09-23T13:44:12.107Z

cve-icon NVD

Status : Deferred

Published: 2025-09-22T19:15:43.807

Modified: 2026-04-23T15:32:34.910

Link: CVE-2025-53465

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-30T15:15:06Z

Weaknesses