Description
The GSheetConnector For Gravity Forms plugin for WordPress is vulnerable to authorization bypass in versions less than, or equal to, 1.3.27. This is due to a missing capability check on the 'install_plugin' function. This makes it possible for authenticated attackers, with subscriber-level access and above to install plugins on the target site and potentially achieve arbitrary code execution on the server under certain conditions.
Published: 2025-10-11
Score: 8.8 High
EPSS: < 1% Very Low
KEV: No
Impact: Privilege Escalation via Plugin Installation
Action: Immediate Patch
AI Analysis

Impact

The vulnerability arises from a missing capability check in the plugin’s install_plugin function, which allows attackers who possess any WordPress role of Subscriber or higher to install and activate arbitrary plugins on the site. This bypass can lead to arbitrary code execution or other compromise when a malicious plugin is installed. The weakness is formally classified as CWE‑862.

Affected Systems

WordPress sites running the GSheetConnector for Gravity Forms plugin from Western Deal with a version of 1.3.27 or earlier are impacted. Newer releases (1.3.28 and later) contain the fix.

Risk and Exploitability

The CVSS score of 8.8 indicates a high severity vulnerability. The EPSS score of less than 1 % suggests that, while the flaw is powerful, exploitation is still considered unlikely at present. The vulnerability is not listed in the CISA KEV catalog. Attackers would need legitimate login credentials with Subscriber level or higher; the exploit requires only the ability to trigger the install_plugin routine, after which a malicious plugin can be added and executed on the server.

Generated by OpenCVE AI on April 20, 2026 at 19:16 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the GSheetConnector for Gravity Forms plugin to version 1.3.28 or later.
  • If an immediate update is not feasible, revoke the install_plugin capability from the Subscriber role using a role editor plugin or WordPress security tool.
  • Configure auditing or logging to detect any new plugin installations and review plugin activity regularly.

Generated by OpenCVE AI on April 20, 2026 at 19:16 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 10 Apr 2026 04:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Tue, 21 Oct 2025 13:15:00 +0000

Type Values Removed Values Added
First Time appeared Westerndeal
Westerndeal gsheetconnector For Gravity Forms
Wordpress
Wordpress wordpress
Vendors & Products Westerndeal
Westerndeal gsheetconnector For Gravity Forms
Wordpress
Wordpress wordpress

Sat, 11 Oct 2025 09:45:00 +0000

Type Values Removed Values Added
Description The GSheetConnector For Gravity Forms plugin for WordPress is vulnerable to authorization bypass in versions less than, or equal to, 1.3.27. This is due to a missing capability check on the 'install_plugin' function. This makes it possible for authenticated attackers, with subscriber-level access and above to install plugins on the target site and potentially achieve arbitrary code execution on the server under certain conditions.
Title GSheetConnector For Gravity Forms <= 1.3.27 - Missing Authorization to Authenticated (Subscriber+) Arbitrary Plugin Installation
Weaknesses CWE-862
References
Metrics cvssV3_1

{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H'}

Subscriptions

Westerndeal Gsheetconnector For Gravity Forms
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T17:21:20.745Z

Reserved: 2025-08-05T13:23:02.333Z

Link: CVE-2025-8593

cve-icon Vulnrichment

Updated: 2025-10-14T18:43:22.599Z

cve-icon NVD

Status : Deferred

Published: 2025-10-11T10:15:44.140

Modified: 2026-04-15T00:35:42.020

Link: CVE-2025-8593

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-20T19:30:06Z

Weaknesses