CVE-2026-4843

GSheet For Woo Importer <= 2.3.1 - Missing Authorization to Authenticated (Subscriber+) Plugin Settings Reset

mediumMissing Authorization
4.3
CVSS Score
4.3
CVSS Score
medium
Severity
2.4.1
Patched in
1d
Time to patch

Description

The GSheet For Woo Importer plugin for WordPress is vulnerable to unauthorized loss of data due to a missing capability check on the process_ajax_restore_action() function in all versions up to, and including, 2.3.1. This makes it possible for authenticated attackers, with Subscriber-level access and above, to delete the plugin's Google Sheets API token and configuration options.

CVSS Vector Breakdown

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
None
Confidentiality
Low
Integrity
None
Availability

Technical Details

Affected versions<=2.3.1
PublishedMay 21, 2026
Last updatedMay 21, 2026

What Changed in the Fix

Changes introduced in v2.4.1

Loading patch diff...

Source Code

WordPress.org SVN
Research Plan
Unverified

# Exploitation Research Plan - CVE-2026-4843 ## 1. Vulnerability Summary The **GSheet For Woo Importer** plugin (up to version 2.3.1) is vulnerable to unauthorized data loss. The class `GSWOO\Actions\AdminSettingsAction` registers an AJAX handler `process_ajax_restore_action()` via the `wp_ajax_` h…

Show full research plan

Exploitation Research Plan - CVE-2026-4843

1. Vulnerability Summary

The GSheet For Woo Importer plugin (up to version 2.3.1) is vulnerable to unauthorized data loss. The class GSWOO\Actions\AdminSettingsAction registers an AJAX handler process_ajax_restore_action() via the wp_ajax_ hook. Because this handler fails to implement a capability check (e.g., current_user_can( 'manage_options' )), any authenticated user, including those with Subscriber-level permissions, can trigger the function. The function's purpose is to reset plugin configurations, effectively deleting the Google Sheets API token and connection settings, which disrupts the plugin's core functionality.

2. Attack Vector Analysis

  • Endpoint: /wp-admin/admin-ajax.php
  • Action: Likely gswoo_restore_action (to be confirmed from AdminSettingsAction.php)
  • HTTP Method: POST
  • Authentication: Required (Subscriber or higher)
  • Parameters:
    • action: The AJAX action string.
    • security/_ajax_nonce: (If implemented) A nonce for CSRF protection.
  • Preconditions: The plugin must be configured with an API token or settings for the "reset" to be impactful.

3. Code Flow

  1. Initialization: GSWOO_Plugin::__construct calls init_actions().
  2. Action Registration: init_actions() instantiates GSWOO\Actions\AdminSettingsAction.
  3. Hooking: Inside AdminSettingsAction, a hook is registered: add_action( 'wp_ajax_gswoo_restore_action', [ $this, 'process_ajax_restore_action' ] );.
  4. Processing: When a Subscriber sends a POST request to admin-ajax.php with action=gswoo_restore_action:
    • WordPress identifies the user as authenticated.
    • WordPress executes the callback process_ajax_restore_action().
    • The function fails to check the user's capabilities.
    • The function proceeds to call delete_option() or update_option() on sensitive keys like gswoo_google_sheet_settings or gswoo_access_token.

4. Nonce Acquisition Strategy

If the function uses check_ajax_referer, we must find where the nonce is generated.

  1. Identify Nonce Registration: Look for wp_localize_script in includes/Actions/AdminSettingsAction.php (or similar).
  2. Determine Scope: If the script is enqueued using the admin_enqueue_scripts hook without checking the page slug, the nonce will be visible to a Subscriber on any admin page (e.g., /wp-admin/profile.php or /wp-admin/index.php).
  3. Extraction:
    • Navigate to /wp-admin/index.php as a Subscriber.
    • Use browser_eval to extract the nonce:
      browser_eval("window.gswoo_admin_params?.nonce") (Variable names are inferred and must be verified in the source).

5. Exploitation Strategy

Step 1: Preliminary Analysis

Confirm the exact AJAX action and nonce name.

# Locate the settings action file
find . -name "AdminSettingsAction.php"

# Find the AJAX action name
grep -r "wp_ajax_" .

# Find the implementation of process_ajax_restore_action
grep -n "function process_ajax_restore_action" -A 20 includes/Actions/AdminSettingsAction.php

Step 2: Setup Settings

As an admin, save dummy settings so there is something to delete.

wp option update gswoo_google_sheet_settings '{"client_id":"test_id","client_secret":"test_secret"}' --format=json
wp option update gswoo_access_token 'test_token'

Step 3: Extract Nonce (if applicable)

If the code reveals a nonce check:

  1. Log in as Subscriber.
  2. Navigate to /wp-admin/index.php.
  3. Extract nonce from the identified JS global variable.

Step 4: Execute Reset

Send the unauthorized request as the Subscriber.

Request Template:

  • URL: http://localhost:8080/wp-admin/admin-ajax.php
  • Method: POST
  • Content-Type: application/x-www-form-urlencoded
  • Body: action=[ACTION_NAME]&security=[NONCE]

Step 5: Verification

Check if the options still exist.

6. Test Data Setup

  1. User: Create a subscriber user.
    wp user create attacker attacker@example.com --role=subscriber --user_pass=password
  2. Plugin Data: Ensure the plugin options are populated.
    wp option get gswoo_google_sheet_settings

7. Expected Results

  • The AJAX response should return a success status (e.g., {"success":true} or 1).
  • Following the request, wp option get gswoo_google_sheet_settings should return an empty result or error, indicating the data was deleted.

8. Verification Steps

# Check if settings were cleared
wp option get gswoo_google_sheet_settings
wp option get gswoo_access_token

# If successful, these should be empty or return 'Error: Could not get option'

9. Alternative Approaches

If wp_ajax_gswoo_restore_action is not the correct name:

  • Search for restore or reset strings in the entire plugin directory.
  • Monitor network traffic while clicking the "Restore/Reset" button in the admin settings as an administrator to capture the exact parameters.
  • Check if the function uses $_POST or $_REQUEST for parameters and if it specifically targets delete_option.
Research Findings
Static analysis — not yet PoC-verified

Summary

The GSheet For Woo Importer plugin for WordPress is vulnerable to unauthorized data loss in versions up to, and including, 2.3.1. This is due to a missing capability check on the process_ajax_restore_action() function, which allows authenticated attackers with subscriber-level permissions or higher to reset plugin configurations and delete the Google Sheets API token.

Security Fix

diff -ru /home/deploy/wp-safety.org/data/plugin-versions/import-products-from-gsheet-for-woo-importer/2.4/import-products-from-gsheet-for-woo-importer.php /home/deploy/wp-safety.org/data/plugin-versions/import-products-from-gsheet-for-woo-importer/2.4.1/import-products-from-gsheet-for-woo-importer.php
--- /home/deploy/wp-safety.org/data/plugin-versions/import-products-from-gsheet-for-woo-importer/2.4/import-products-from-gsheet-for-woo-importer.php	2026-04-19 08:17:58.000000000 +0000
+++ /home/deploy/wp-safety.org/data/plugin-versions/import-products-from-gsheet-for-woo-importer/2.4.1/import-products-from-gsheet-for-woo-importer.php	2026-04-23 06:40:18.000000000 +0000
@@ -8,7 +8,7 @@
  * Plugin Name: GSheet For Woo Importer
  * Plugin URI:  https://github.com/OlegApanovich/import-products-from-gsheet-for-woo-importer
  * Description: Import woocommerce products from google sheet by using native woocommerce importer
- * Version:     2.4
+ * Version:     2.4.1
  * Author:      Oleg Apanovich
  * Author URI:  https://github.com/OlegApanovich
  * License:     GPL-3.0+
diff -ru /home/deploy/wp-safety.org/data/plugin-versions/import-products-from-gsheet-for-woo-importer/2.4/README.txt /home/deploy/wp-safety.org/data/plugin-versions/import-products-from-gsheet-for-woo-importer/2.4.1/README.txt
--- /home/deploy/wp-safety.org/data/plugin-versions/import-products-from-gsheet-for-woo-importer/2.4/README.txt	2026-04-19 08:17:58.000000000 +0000
+++ /home/deploy/wp-safety.org/data/plugin-versions/import-products-from-gsheet-for-woo-importer/2.4.1/README.txt	2026-04-23 06:40:18.000000000 +0000
@@ -4,7 +4,7 @@
 Tags: woocommerce, importer, google sheet
 Requires at least: 5.9
 Tested up to: 6.9
-Stable tag: 2.3
+Stable tag: 2.4.1
 Requires PHP: 8.1
 License: GPLv3 or later
 License URI: https://www.gnu.org/licenses/gpl-3.0.html

Exploit Outline

An attacker with Subscriber-level authentication can trigger a settings reset by sending a POST request to the WordPress AJAX endpoint (/wp-admin/admin-ajax.php) with the action 'gswoo_restore_action'. If a nonce check is implemented, the attacker can likely obtain the required nonce from the admin dashboard (e.g., via localized scripts in the dashboard source). Because the 'process_ajax_restore_action' function lacks a capability check (like 'current_user_can'), the server will proceed to delete sensitive configuration options including the Google Sheets API token and plugin settings upon receiving the request.

Check if your site is affected.

Run a free security audit to detect vulnerable plugins, outdated versions, and misconfigurations.