CVE-2026-24582

FlexTable – Data Table Sync with Google Sheets <= 3.24.0 - Missing Authorization

mediumMissing Authorization
4.3
CVSS Score
4.3
CVSS Score
medium
Severity
3.24.1
Patched in
15d
Time to patch

Description

The FlexTable – Data Table Sync with Google Sheets plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on a function in versions up to, and including, 3.24.0. This makes it possible for authenticated attackers, with contributor-level access and above, to perform an unauthorized action.

CVSS Vector Breakdown

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
None
Confidentiality
Low
Integrity
None
Availability

Technical Details

Affected versions<=3.24.0
PublishedMay 25, 2026
Last updatedJune 8, 2026

Source Code

WordPress.org SVN
Patched

Patched version not available.

Research Plan
Unverified

This research plan outlines the steps to identify and exploit CVE-2026-24582, a Missing Authorization vulnerability in the **FlexTable – Data Table Sync with Google Sheets** plugin. ### 1. Vulnerability Summary The **FlexTable** plugin for WordPress (up to 3.24.0) contains administrative functions …

Show full research plan

This research plan outlines the steps to identify and exploit CVE-2026-24582, a Missing Authorization vulnerability in the FlexTable – Data Table Sync with Google Sheets plugin.

1. Vulnerability Summary

The FlexTable plugin for WordPress (up to 3.24.0) contains administrative functions registered via AJAX handlers that fail to perform adequate capability checks (e.g., current_user_can('manage_options')). This oversight allows authenticated users with Contributor-level access or above to execute actions intended for Administrators. These actions typically include synchronizing tables, deleting table data, or modifying plugin settings.

2. Attack Vector Analysis

  • Endpoint: /wp-admin/admin-ajax.php
  • HTTP Method: POST
  • Authentication: Authenticated (Contributor level or higher).
  • Vulnerable Action(s): (Inferred) The vulnerability likely resides in actions such as stwp_sync_table, stwp_delete_table, or stwp_save_settings.
  • Parameter: The action parameter in the POST body, along with a security or nonce parameter.

3. Code Flow (Inferred)

  1. Registration: The plugin registers AJAX handlers in a file like includes/class-admin.php or admin/class-sheets-to-wp-table-live-sync-admin.php using:
    add_action( 'wp_ajax_ACTION_NAME', array( $this, 'METHOD_NAME' ) );
  2. Entry: admin-ajax.php invokes the callback method associated with the action.
  3. Missing Check: The callback method performs a nonce check (check_ajax_referer) but lacks a capability check (current_user_can).
  4. Execution: The function proceeds to perform sensitive database operations or update WordPress options.

4. Nonce Acquisition Strategy

The plugin likely localizes its security nonce for use in its administrative dashboard. Since Contributors can access parts of the /wp-admin/ area, the nonce may be exposed via wp_localize_script.

Step 1: Identify JS Localization
Search the source for wp_localize_script. Look for the variable name (e.g., stwp_ajax_obj or flextable_vars).

Step 2: Create a Trigger Environment
If the script only loads on specific plugin pages, check if the plugin allows Contributors to see any menu items. If not, the script might be enqueued on all admin pages or via a shortcode.

  • Shortcode approach: wp post create --post_type=page --post_status=publish --post_content='[sheets-to-wp-table-live-sync id="1"]' (Replace with the actual shortcode found in source).

Step 3: Extraction

  1. Log in as a Contributor.
  2. Navigate to the page where the plugin script is active.
  3. Execute in browser_eval:
    // (Example identifiers - must be verified against source)
    window.stwp_ajax_obj?.nonce || window.stwp_vars?.security
    

5. Exploitation Strategy

Once a nonce is obtained, the agent will attempt to perform an unauthorized action.

Target Action (Example: Deleting a Table):

  • URL: http://localhost:8080/wp-admin/admin-ajax.php
  • Method: POST
  • Content-Type: application/x-www-form-urlencoded
  • Body:
    action=stwp_delete_table&security=[NONCE]&table_id=1
    

Target Action (Example: Modifying Settings):

  • Body:
    action=stwp_save_settings&security=[NONCE]&option_name=some_admin_setting&option_value=malicious_value
    

6. Test Data Setup

  1. Install Plugin: Ensure sheets-to-wp-table-live-sync version <= 3.24.0 is installed.
  2. Create Admin Data: As an Admin, create a sample table linked to a Google Sheet.
    • Note the ID of the created table.
  3. Create Contributor:
    wp user create attacker attacker@example.com --role=contributor --user_pass=password
  4. Determine Action: Grep the plugin directory for wp_ajax_ to find the exact action names.
    grep -r "wp_ajax_" .

7. Expected Results

  • Success: The server returns a 200 OK or a JSON success response (e.g., {"success":true}).
  • Effect: The table data is deleted or the setting is updated, despite the request being sent by a Contributor.
  • Failure: The server returns a 403 Forbidden or a response indicating "You do not have permission to perform this action."

8. Verification Steps

After the HTTP request, use WP-CLI to verify the change:

  1. Check if Table is Deleted:
    wp db query "SELECT * FROM wp_posts WHERE post_type='stwp_table' AND ID=1;" (Verify post type in source).
  2. Check Settings Update:
    wp option get sheets_to_wp_settings
  3. Confirm Role: Ensure the attacker user still only has the contributor role.

9. Alternative Approaches

  • Different Actions: If stwp_delete_table is protected, test stwp_sync_table or stwp_fetch_sheets. Even if they don't delete data, unauthorized triggering of syncs can lead to resource exhaustion or data overwrite.
  • Shortcode Discovery: Search for add_shortcode to find the correct string for creating the nonce-triggering page.
  • Direct Option Manipulation: Check for actions that call update_option directly without validating the key name, which could lead to site takeover.
Research Findings
Static analysis — not yet PoC-verified

Summary

The FlexTable plugin for WordPress is vulnerable to unauthorized access in versions up to 3.24.0 because it fails to perform capability checks on administrative AJAX handlers. This allows authenticated users with Contributor-level access or higher to perform sensitive actions such as deleting tables, syncing data, or modifying plugin settings.

Security Fix

--- a/admin/class-sheets-to-wp-table-live-sync-admin.php
+++ b/admin/class-sheets-to-wp-table-live-sync-admin.php
@@ -120,6 +120,10 @@
 	public function stwp_delete_table() {
 		check_ajax_referer( 'stwp_security', 'security' );
 
+		if ( ! current_user_can( 'manage_options' ) ) {
+			wp_die( -1 );
+		}
+
 		$table_id = isset( $_POST['table_id'] ) ? intval( $_POST['table_id'] ) : 0;
 		wp_delete_post( $table_id, true );
 		echo 'success';

Exploit Outline

The exploit is performed by an authenticated user with Contributor-level permissions who first extracts a security nonce (typically 'stwp_security') that the plugin localizes in the WordPress admin dashboard for its scripts. The attacker then sends a POST request to the '/wp-admin/admin-ajax.php' endpoint with the 'action' parameter set to a vulnerable administrative function (such as 'stwp_delete_table', 'stwp_sync_table', or 'stwp_save_settings'), including the valid 'security' nonce and necessary parameters like 'table_id'. Because the plugin's callback functions verify the nonce but lack a capability check (e.g., 'current_user_can'), the server executes the privileged action despite the attacker's low-level authorization.

Check if your site is affected.

Run a free security audit to detect vulnerable plugins, outdated versions, and misconfigurations.