CVE-2025-9543

Vulnerability

Overview The FlexTable Google Sheets Connector plugin for WordPress, in versions prior to 3.19.2.2, fails to sanitize and escape imported links from Google Sheet cells. This vulnerability stems from insufficient input handling when the plugin processes external spreadsheet data, allowing malicious link content to be stored and later rendered in the context of an administrator's session. The issue is particularly critical because it can be exploited even in environments where the unfiltered_html capability is disallowed (e.g., multisite setups), bypassing a common security control.

Exploitation and

Attack Surface A high-privilege user, such as an administrator, can import a specially craft a Google Sheet containing a malicious link in a cell. When the plugin imports and displays this link without proper output encoding, it executes arbitrary JavaScript within the administrative interface. The attack requires the attacker to have at least administrator-level access to the WordPress site, which typically involves already sensitive accounts. However, the stored XSS can then affect other administrators or contributors who view the affected table, potentially leading to further compromise [1].

Impact

Successful exploitation allows an attacker to inject arbitrary JavaScript into the admin dashboard. This can lead to session hijacking, forced administrative actions, or defacement, all while bypassing the unfiltered_html restriction that normally prevents such attacks. The CVSS v3.5 CVSS score reflects the limited attack surface (high privileges required) and the need for user interaction (viewing the malicious link).

Mitigation

The vulnerability has been addressed in version 3.19.2 of the FlexTable plugin [1]. Users are strongly advised to update to this patched release or later. There are no known workarounds beyond upgrading. The vulnerability was publicly disclosed on 2025-12-15 and is not currently known to be exploited in the wild.