Description
The GSheet For Woo Importer plugin for WordPress is vulnerable to unauthorized loss of data due to a missing capability check on the process_ajax_restore_action() function in all versions up to, and including, 2.3.1. This makes it possible for authenticated attackers, with Subscriber-level access and above, to delete the plugin's Google Sheets API token and configuration options.
Published: 2026-05-21
Score: 4.3 Medium
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The GSheet For Woo Importer plugin contains a missing capability check in its process_ajax_restore_action() functionality for all releases up to 2.3.1. This oversight allows any authenticated user with Subscriber level permissions and higher to invoke an AJAX request that deletes the plugin’s stored Google Sheets API token and accompanying configuration options. The result is a loss of integration data, potentially interrupting scheduled imports or exposing processes that rely on the API token to fail.

Affected Systems

WordPress sites running the GSheet For Woo Importer plugin version 2.3.1 or earlier are impacted. The vulnerability is specific to the mrdollar4444 GSheet For Woo Importer plugin and applies to all WordPress installations that have not upgraded past the 2.3.1 release.

Risk and Exploitability

The CVSS score of 4.3 indicates a low to moderate severity, and it is not listed in the CISA KEV catalog. No EPSS score is available, so the exploitation probability cannot be quantified. The vulnerability requires that the attacker be authenticated and possess at least Subscriber permissions; with this access level, the attacker can send an HTTP request to the REST endpoint that initiates the restore action. Once the request is processed, the plugin’s token and settings are removed, causing disruption of the service. No additional conditions or vulnerabilities are needed to trigger the exploit.

Generated by OpenCVE AI on May 21, 2026 at 20:20 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade to the latest version of GSheet For Woo Importer (>= 2.3.2).
  • If an upgrade is not immediately possible, remove or temporarily disable the plugin to prevent accidental restoration of the API token.
  • Restrict the AJAX restore_action endpoint to administrator users by adding capability checks or configuring firewall rules that block Subscriber-level users from accessing the plugin’s admin routes.

Generated by OpenCVE AI on May 21, 2026 at 20:20 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 21 May 2026 19:45:00 +0000

Type Values Removed Values Added
Description The GSheet For Woo Importer plugin for WordPress is vulnerable to unauthorized loss of data due to a missing capability check on the process_ajax_restore_action() function in all versions up to, and including, 2.3.1. This makes it possible for authenticated attackers, with Subscriber-level access and above, to delete the plugin's Google Sheets API token and configuration options.
Title GSheet For Woo Importer <= 2.3.1 - Missing Authorization to Authenticated (Subscriber+) Plugin Settings Reset
Weaknesses CWE-862
References
Metrics cvssV3_1

{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-05-21T19:29:12.127Z

Reserved: 2026-03-25T14:42:59.888Z

Link: CVE-2026-4843

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Deferred

Published: 2026-05-21T20:16:14.723

Modified: 2026-05-21T21:03:56.320

Link: CVE-2026-4843

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-21T20:30:18Z

Weaknesses