Description
Cross-Site Request Forgery (CSRF) vulnerability in WesternDeal WooCommerce Google Sheet Connector wc-gsheetconnector allows Cross Site Request Forgery.This issue affects WooCommerce Google Sheet Connector: from n/a through <= 1.3.20.
Published: 2025-07-16
Score: 4.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A Cross‑Site Request Forgery flaw exists in the WesternDeal WooCommerce Google Sheet Connector plugin that allows an attacker to trigger actions performed by an authenticated user. The vulnerability enables a malicious user to force the victim’s browser to send requests that modify plugin configuration or data in the Google Sheet, potentially corrupting orders or financial records. The weakness corresponds to CWE‑352.

Affected Systems

All installations of the WooCommerce Google Sheet Connector plugin for WordPress with version 1.3.20 or earlier are affected. The issue applies to every release from the plugin’s earliest known release through 1.3.20.

Risk and Exploitability

The CVSS score of 4.3 indicates a moderate impact, while the EPSS score of < 1 % suggests that practical exploitation is unlikely at present. The vulnerability is not listed in the CISA KEV catalog. To exploit the flaw an attacker would need to convince the victim to visit a crafted URL or embed a malicious form that submits to the plugin’s processing endpoint. Because the plugin lacks an appropriate CSRF token check, the attack can succeed as long as the victim’s session is still active. The overall risk is therefore moderate in terms of impact but low in likelihood of widespread exploitation.

Generated by OpenCVE AI on April 30, 2026 at 16:45 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Check for and apply any vendor‑released patch to the WooCommerce Google Sheet Connector plugin once available.
  • If an update cannot be applied immediately, limit administrative access to the plugin and disable any features that expose endpoints to unauthenticated POST requests.
  • Consider implementing your own nonce validation on any forms that interact with the plugin’s endpoints to ensure that only legitimate requests are processed.
  • Monitor server logs for unexpected POST requests to the plugin’s URLs and investigate any identified anomalies.

Generated by OpenCVE AI on April 30, 2026 at 16:45 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-21669 Cross-Site Request Forgery (CSRF) vulnerability in GSheetConnector by WesternDeal WooCommerce Google Sheet Connector allows Cross Site Request Forgery. This issue affects WooCommerce Google Sheet Connector: from n/a through 1.3.20.
History

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N'}

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Description Cross-Site Request Forgery (CSRF) vulnerability in GSheetConnector by WesternDeal WooCommerce Google Sheet Connector allows Cross Site Request Forgery. This issue affects WooCommerce Google Sheet Connector: from n/a through 1.3.20. Cross-Site Request Forgery (CSRF) vulnerability in WesternDeal WooCommerce Google Sheet Connector wc-gsheetconnector allows Cross Site Request Forgery.This issue affects WooCommerce Google Sheet Connector: from n/a through <= 1.3.20.
References
Metrics cvssV3_1

{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N'}

Wed, 16 Jul 2025 20:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 16 Jul 2025 13:45:00 +0000

Type Values Removed Values Added
Metrics epss

{'score': 0.00029}

Wed, 16 Jul 2025 10:45:00 +0000

Type Values Removed Values Added
Description Cross-Site Request Forgery (CSRF) vulnerability in GSheetConnector by WesternDeal WooCommerce Google Sheet Connector allows Cross Site Request Forgery. This issue affects WooCommerce Google Sheet Connector: from n/a through 1.3.20.
Title WordPress WooCommerce Google Sheet Connector plugin <= 1.3.20 - Cross Site Request Forgery (CSRF) Vulnerability
Weaknesses CWE-352
References
Metrics cvssV3_1

{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T16:13:29.672Z

Reserved: 2025-07-16T08:51:50.629Z

Link: CVE-2025-54030

cve-icon Vulnrichment

Updated: 2025-07-16T20:00:10.653Z

cve-icon NVD

Status : Deferred

Published: 2025-07-16T11:15:30.403

Modified: 2026-04-23T15:32:44.100

Link: CVE-2025-54030

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-30T17:00:15Z

Weaknesses
  • CWE-352

    Cross-Site Request Forgery (CSRF)