CVE-2025-67570

Vulnerability

Analysis

The WPForms Google Sheet Connector plugin for WordPress, versions 4.0.0 and below, suffers from a missing authorization vulnerability. This flaw stems from the plugin's failure to properly enforce access control checks on certain functions, allowing users with lower privileges to perform actions that should require higher-level permissions. The issue is categorized as a broken access control problem, which can be exploited to bypass security restrictions [1].

Exploitation

An attacker does not require any special privileges to exploit this vulnerability. By accessing the plugin's endpoints directly or manipulating requests, an unprivileged user can trigger actions that are meant to be restricted to administrators or other higher-privileged roles. This makes the vulnerability easy to exploit, especially in mass-exploit campaigns targeting thousands of WordPress sites [1].

Impact

Successful exploitation can lead to unauthorized access to sensitive data stored in Google Sheets, modification of configuration settings, or other administrative actions. The exact impact depends on the context of the affected site, but it generally allows an attacker to escalate privileges and compromise the integrity or confidentiality of the connected data [1].

Mitigation

The vendor has released version 4.0.1 to address this vulnerability. Users are strongly advised to update their plugin immediately. For those unable to update, contacting the hosting provider or a web developer for assistance is recommended. Patchstack users can enable auto-updates for vulnerable plugins [1].