WordPress Sheets To WP Table Live Sync Plugin <= 2.12.15 is vulnerable to Cross Site Request Forgery (CSRF)

Vulnerability

Cross-Site Request Forgery (CSRF) vulnerability exists in the WPPOOL FlexTable plugin (formerly Sheets To WP Table Live Sync) versions 2.12.15 and earlier. The plugin fails to properly validate or enforce CSRF tokens on state-changing requests, such as table creation, modification, or deletion. This allows an attacker to trick an authenticated administrator into unknowingly executing unwanted actions. The vulnerable code path does not require any additional configuration beyond the default plugin settings.

Exploitation

An attacker can craft a malicious link or HTML form that, when clicked or submitted by an authenticated administrator, triggers a state-changing request to the WordPress site running the vulnerable plugin. The attack does not require network proximity or authentication; it relies on social engineering to lure the admin. The sequence involves the attacker sending a crafted URL or embedding it in a page the admin visits, followed by the admin's browser executing the request with their valid session cookies.

Impact

Successful exploitation allows the attacker to perform any action the administrator can take within the plugin's settings, such as modifying or deleting synced tables, changing connection settings to Google Sheets, or disabling data sync. This results in unauthorized changes to the site's content and potential data integrity compromise. The attack does not grant direct access to sensitive data but can alter published tables.

Mitigation

The vulnerability is fixed in version 2.12.16 of the FlexTable plugin, which was released on 2023-11-20. Users should update to this version or later. For sites that cannot update immediately, administrators should be cautious of clicking untrusted links while logged into the WordPress admin area. No other workarounds are provided in the available references [1].