Description
The WPGSI: Spreadsheet Integration plugin for WordPress is vulnerable to unauthorized modification and loss of data due to missing capability checks and an insecure authentication mechanism on the `wpgsi_callBackFuncAccept` and `wpgsi_callBackFuncUpdate` REST API functions in all versions up to, and including, 3.8.3. Both REST endpoints use `permission_callback => '__return_true'`, allowing unauthenticated access. The plugin's custom token-based validation relies on a Base64-encoded JSON object containing the user ID and email address, but is not cryptographically signed. This makes it possible for unauthenticated attackers to forge tokens using publicly enumerable information (admin user ID and email) to create, modify, and delete arbitrary WordPress posts and pages, granted they know the administrator's email address and an active integration ID with remote updates enabled.
Published: 2026-02-25
Score: 7.5 High
EPSS: < 1% Very Low
KEV: No
Impact: Unauthorized Content Manipulation via Arbitrary Post Creation/Deletion
Action: Apply Patch
AI Analysis

Impact

The WPGSI: Spreadsheet Integration plugin for WordPress contains missing authorization checks on two REST API endpoints, allowing any request to execute because the permission callback always returns true. The plug‑in uses a Base64‑encoded JSON token that carries the user ID and email address without cryptographic signing, making the token easily forgeable. As a result, an unauthenticated attacker who knows an administrator’s email address and an active integration ID can create, modify, or delete arbitrary WordPress posts and pages, severely compromising content integrity and data loss.

Affected Systems

All installations of the javmah WPGSI: Spreadsheet Integration plugin up to and including version 3.8.3 are vulnerable. The issue spans the entire WordPress ecosystem wherever this plugin is deployed, affecting sites that allow remote updates through the plugin’s integration feature.

Risk and Exploitability

The overall risk is moderate to high, with a CVSS 3.1 score of 7.5. The EPSS score is below 1%, indicating a low probability of exploitation at present, and the vulnerability is not listed in the CISA KEV catalog. Because the vulnerability is exploitable via unauthenticated REST API calls, an attacker only needs to identify an admin email and an active integration ID, and then can forge a token to perform arbitrary content operations. The lack of cryptographic signing and missing capability checks make the attack straightforward once the prerequisites are met.

Generated by OpenCVE AI on April 15, 2026 at 18:04 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the WPGSI: Spreadsheet Integration plugin to the latest version that implements proper authentication checks and signed tokens, or to any release beyond 3.8.3.
  • If an immediate upgrade is not possible, disable or uninstall the plugin entirely to remove exposed REST endpoints until a patch is available.
  • Configure the WordPress REST API to enforce capability checks on the plugin’s endpoints, ensuring that only users with appropriate permissions can create, modify, or delete content.
  • Additionally, strengthen site security by applying a web application firewall such as Wordfence and monitoring for suspicious REST requests.

Generated by OpenCVE AI on April 15, 2026 at 18:04 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 26 Feb 2026 13:30:00 +0000

Type Values Removed Values Added
First Time appeared Javmah
Javmah spreadsheet Integration
Wordpress
Wordpress wordpress
Vendors & Products Javmah
Javmah spreadsheet Integration
Wordpress
Wordpress wordpress

Wed, 25 Feb 2026 18:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 25 Feb 2026 08:30:00 +0000

Type Values Removed Values Added
Description The WPGSI: Spreadsheet Integration plugin for WordPress is vulnerable to unauthorized modification and loss of data due to missing capability checks and an insecure authentication mechanism on the `wpgsi_callBackFuncAccept` and `wpgsi_callBackFuncUpdate` REST API functions in all versions up to, and including, 3.8.3. Both REST endpoints use `permission_callback => '__return_true'`, allowing unauthenticated access. The plugin's custom token-based validation relies on a Base64-encoded JSON object containing the user ID and email address, but is not cryptographically signed. This makes it possible for unauthenticated attackers to forge tokens using publicly enumerable information (admin user ID and email) to create, modify, and delete arbitrary WordPress posts and pages, granted they know the administrator's email address and an active integration ID with remote updates enabled.
Title WPGSI: Spreadsheet Integration <= 3.8.3 - Missing Authorization to Unauthenticated Arbitrary Post Creation and Deletion via Forged Base64 Token
Weaknesses CWE-862
References
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N'}

Subscriptions

Javmah Spreadsheet Integration
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T17:01:22.116Z

Reserved: 2026-02-04T15:54:39.204Z

Link: CVE-2026-1916

cve-icon Vulnrichment

Updated: 2026-02-25T16:49:53.672Z

cve-icon NVD

Status : Deferred

Published: 2026-02-25T09:16:14.943

Modified: 2026-04-15T00:35:42.020

Link: CVE-2026-1916

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-15T18:15:10Z

Weaknesses