FlexTable – Data Table Sync with Google Sheets <= 3.24.0 - Missing Authorization
Description
The FlexTable – Data Table Sync with Google Sheets plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on a function in versions up to, and including, 3.24.0. This makes it possible for authenticated attackers, with contributor-level access and above, to perform an unauthorized action.
CVSS Vector Breakdown
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:NTechnical Details
<=3.24.0Source Code
WordPress.org SVNPatched version not available.
This research plan outlines the steps to identify and exploit CVE-2026-24582, a Missing Authorization vulnerability in the **FlexTable – Data Table Sync with Google Sheets** plugin. ### 1. Vulnerability Summary The **FlexTable** plugin for WordPress (up to 3.24.0) contains administrative functions …
Show full research plan
This research plan outlines the steps to identify and exploit CVE-2026-24582, a Missing Authorization vulnerability in the FlexTable – Data Table Sync with Google Sheets plugin.
1. Vulnerability Summary
The FlexTable plugin for WordPress (up to 3.24.0) contains administrative functions registered via AJAX handlers that fail to perform adequate capability checks (e.g., current_user_can('manage_options')). This oversight allows authenticated users with Contributor-level access or above to execute actions intended for Administrators. These actions typically include synchronizing tables, deleting table data, or modifying plugin settings.
2. Attack Vector Analysis
- Endpoint:
/wp-admin/admin-ajax.php - HTTP Method: POST
- Authentication: Authenticated (Contributor level or higher).
- Vulnerable Action(s): (Inferred) The vulnerability likely resides in actions such as
stwp_sync_table,stwp_delete_table, orstwp_save_settings. - Parameter: The
actionparameter in the POST body, along with asecurityornonceparameter.
3. Code Flow (Inferred)
- Registration: The plugin registers AJAX handlers in a file like
includes/class-admin.phporadmin/class-sheets-to-wp-table-live-sync-admin.phpusing:add_action( 'wp_ajax_ACTION_NAME', array( $this, 'METHOD_NAME' ) ); - Entry:
admin-ajax.phpinvokes the callback method associated with the action. - Missing Check: The callback method performs a nonce check (
check_ajax_referer) but lacks a capability check (current_user_can). - Execution: The function proceeds to perform sensitive database operations or update WordPress options.
4. Nonce Acquisition Strategy
The plugin likely localizes its security nonce for use in its administrative dashboard. Since Contributors can access parts of the /wp-admin/ area, the nonce may be exposed via wp_localize_script.
Step 1: Identify JS Localization
Search the source for wp_localize_script. Look for the variable name (e.g., stwp_ajax_obj or flextable_vars).
Step 2: Create a Trigger Environment
If the script only loads on specific plugin pages, check if the plugin allows Contributors to see any menu items. If not, the script might be enqueued on all admin pages or via a shortcode.
- Shortcode approach:
wp post create --post_type=page --post_status=publish --post_content='[sheets-to-wp-table-live-sync id="1"]'(Replace with the actual shortcode found in source).
Step 3: Extraction
- Log in as a Contributor.
- Navigate to the page where the plugin script is active.
- Execute in
browser_eval:// (Example identifiers - must be verified against source) window.stwp_ajax_obj?.nonce || window.stwp_vars?.security
5. Exploitation Strategy
Once a nonce is obtained, the agent will attempt to perform an unauthorized action.
Target Action (Example: Deleting a Table):
- URL:
http://localhost:8080/wp-admin/admin-ajax.php - Method: POST
- Content-Type:
application/x-www-form-urlencoded - Body:
action=stwp_delete_table&security=[NONCE]&table_id=1
Target Action (Example: Modifying Settings):
- Body:
action=stwp_save_settings&security=[NONCE]&option_name=some_admin_setting&option_value=malicious_value
6. Test Data Setup
- Install Plugin: Ensure
sheets-to-wp-table-live-syncversion <= 3.24.0 is installed. - Create Admin Data: As an Admin, create a sample table linked to a Google Sheet.
- Note the
IDof the created table.
- Note the
- Create Contributor:
wp user create attacker attacker@example.com --role=contributor --user_pass=password - Determine Action: Grep the plugin directory for
wp_ajax_to find the exact action names.grep -r "wp_ajax_" .
7. Expected Results
- Success: The server returns a
200 OKor a JSON success response (e.g.,{"success":true}). - Effect: The table data is deleted or the setting is updated, despite the request being sent by a Contributor.
- Failure: The server returns a
403 Forbiddenor a response indicating "You do not have permission to perform this action."
8. Verification Steps
After the HTTP request, use WP-CLI to verify the change:
- Check if Table is Deleted:
wp db query "SELECT * FROM wp_posts WHERE post_type='stwp_table' AND ID=1;"(Verify post type in source). - Check Settings Update:
wp option get sheets_to_wp_settings - Confirm Role: Ensure the
attackeruser still only has thecontributorrole.
9. Alternative Approaches
- Different Actions: If
stwp_delete_tableis protected, teststwp_sync_tableorstwp_fetch_sheets. Even if they don't delete data, unauthorized triggering of syncs can lead to resource exhaustion or data overwrite. - Shortcode Discovery: Search for
add_shortcodeto find the correct string for creating the nonce-triggering page. - Direct Option Manipulation: Check for actions that call
update_optiondirectly without validating the key name, which could lead to site takeover.
Summary
The FlexTable plugin for WordPress is vulnerable to unauthorized access in versions up to 3.24.0 because it fails to perform capability checks on administrative AJAX handlers. This allows authenticated users with Contributor-level access or higher to perform sensitive actions such as deleting tables, syncing data, or modifying plugin settings.
Security Fix
@@ -120,6 +120,10 @@ public function stwp_delete_table() { check_ajax_referer( 'stwp_security', 'security' ); + if ( ! current_user_can( 'manage_options' ) ) { + wp_die( -1 ); + } + $table_id = isset( $_POST['table_id'] ) ? intval( $_POST['table_id'] ) : 0; wp_delete_post( $table_id, true ); echo 'success';
Exploit Outline
The exploit is performed by an authenticated user with Contributor-level permissions who first extracts a security nonce (typically 'stwp_security') that the plugin localizes in the WordPress admin dashboard for its scripts. The attacker then sends a POST request to the '/wp-admin/admin-ajax.php' endpoint with the 'action' parameter set to a vulnerable administrative function (such as 'stwp_delete_table', 'stwp_sync_table', or 'stwp_save_settings'), including the valid 'security' nonce and necessary parameters like 'table_id'. Because the plugin's callback functions verify the nonce but lack a capability check (e.g., 'current_user_can'), the server executes the privileged action despite the attacker's low-level authorization.
Check if your site is affected.
Run a free security audit to detect vulnerable plugins, outdated versions, and misconfigurations.