CVE-2025-22686

Vulnerability

The CF7 Google Sheets Connector plugin for WordPress (versions n/a through 5.0.17) contains a missing authorization vulnerability. This allows access control security levels to be incorrectly configured, permitting exploitation without proper authentication. The plugin is designed to forward Contact Form 7 submissions to Google Sheets, and the flaw resides in the settings handling code that does not adequately verify user capabilities. Affected versions: all up to and including 5.0.17.

Exploitation

An attacker does not need any authentication or special privileges. They only need network access to the WordPress installation. By crafting a direct request to the plugin’s administrative endpoints, an unauthenticated remote attacker can modify Google Sheets connection settings or alter how form data is sent to external spreadsheets, because the plugin fails to enforce capability checks on AJAX actions or admin pages [1].

Impact

A successful exploit allows the attacker to change the Google Sheets integration configuration. This could redirect form submissions to an attacker-controlled spreadsheet, leading to exfiltration of sensitive data submitted via Contact Form 7 (such as names, email addresses, and custom fields). The integrity of the data flow is compromised, and confidentiality is breached if submission data is sent to an external party. The attacker does not gain code execution or full site control, but can leak submitted form data at Medium severity (CVSS 5.3)

Mitigation

Users must update to version 5.1.6 or later, which was released on 2025-02-03 (the same date as this advisory) [1]. No workaround is available if the plugin cannot be updated. No evidence of inclusion in the CISA KEV list was found in the provided references.