GSheet For Woo Importer <= 2.3.1 - Missing Authorization to Authenticated (Subscriber+) Plugin Settings Reset
Description
The GSheet For Woo Importer plugin for WordPress is vulnerable to unauthorized loss of data due to a missing capability check on the process_ajax_restore_action() function in all versions up to, and including, 2.3.1. This makes it possible for authenticated attackers, with Subscriber-level access and above, to delete the plugin's Google Sheets API token and configuration options.
CVSS Vector Breakdown
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:NTechnical Details
<=2.3.1What Changed in the Fix
Changes introduced in v2.4.1
Source Code
WordPress.org SVN# Exploitation Research Plan - CVE-2026-4843 ## 1. Vulnerability Summary The **GSheet For Woo Importer** plugin (up to version 2.3.1) is vulnerable to unauthorized data loss. The class `GSWOO\Actions\AdminSettingsAction` registers an AJAX handler `process_ajax_restore_action()` via the `wp_ajax_` h…
Show full research plan
Exploitation Research Plan - CVE-2026-4843
1. Vulnerability Summary
The GSheet For Woo Importer plugin (up to version 2.3.1) is vulnerable to unauthorized data loss. The class GSWOO\Actions\AdminSettingsAction registers an AJAX handler process_ajax_restore_action() via the wp_ajax_ hook. Because this handler fails to implement a capability check (e.g., current_user_can( 'manage_options' )), any authenticated user, including those with Subscriber-level permissions, can trigger the function. The function's purpose is to reset plugin configurations, effectively deleting the Google Sheets API token and connection settings, which disrupts the plugin's core functionality.
2. Attack Vector Analysis
- Endpoint:
/wp-admin/admin-ajax.php - Action: Likely
gswoo_restore_action(to be confirmed fromAdminSettingsAction.php) - HTTP Method:
POST - Authentication: Required (Subscriber or higher)
- Parameters:
action: The AJAX action string.security/_ajax_nonce: (If implemented) A nonce for CSRF protection.
- Preconditions: The plugin must be configured with an API token or settings for the "reset" to be impactful.
3. Code Flow
- Initialization:
GSWOO_Plugin::__constructcallsinit_actions(). - Action Registration:
init_actions()instantiatesGSWOO\Actions\AdminSettingsAction. - Hooking: Inside
AdminSettingsAction, a hook is registered:add_action( 'wp_ajax_gswoo_restore_action', [ $this, 'process_ajax_restore_action' ] );. - Processing: When a Subscriber sends a POST request to
admin-ajax.phpwithaction=gswoo_restore_action:- WordPress identifies the user as authenticated.
- WordPress executes the callback
process_ajax_restore_action(). - The function fails to check the user's capabilities.
- The function proceeds to call
delete_option()orupdate_option()on sensitive keys likegswoo_google_sheet_settingsorgswoo_access_token.
4. Nonce Acquisition Strategy
If the function uses check_ajax_referer, we must find where the nonce is generated.
- Identify Nonce Registration: Look for
wp_localize_scriptinincludes/Actions/AdminSettingsAction.php(or similar). - Determine Scope: If the script is enqueued using the
admin_enqueue_scriptshook without checking the page slug, the nonce will be visible to a Subscriber on any admin page (e.g.,/wp-admin/profile.phpor/wp-admin/index.php). - Extraction:
- Navigate to
/wp-admin/index.phpas a Subscriber. - Use
browser_evalto extract the nonce:browser_eval("window.gswoo_admin_params?.nonce")(Variable names are inferred and must be verified in the source).
- Navigate to
5. Exploitation Strategy
Step 1: Preliminary Analysis
Confirm the exact AJAX action and nonce name.
# Locate the settings action file
find . -name "AdminSettingsAction.php"
# Find the AJAX action name
grep -r "wp_ajax_" .
# Find the implementation of process_ajax_restore_action
grep -n "function process_ajax_restore_action" -A 20 includes/Actions/AdminSettingsAction.php
Step 2: Setup Settings
As an admin, save dummy settings so there is something to delete.
wp option update gswoo_google_sheet_settings '{"client_id":"test_id","client_secret":"test_secret"}' --format=json
wp option update gswoo_access_token 'test_token'
Step 3: Extract Nonce (if applicable)
If the code reveals a nonce check:
- Log in as Subscriber.
- Navigate to
/wp-admin/index.php. - Extract nonce from the identified JS global variable.
Step 4: Execute Reset
Send the unauthorized request as the Subscriber.
Request Template:
- URL:
http://localhost:8080/wp-admin/admin-ajax.php - Method:
POST - Content-Type:
application/x-www-form-urlencoded - Body:
action=[ACTION_NAME]&security=[NONCE]
Step 5: Verification
Check if the options still exist.
6. Test Data Setup
- User: Create a subscriber user.
wp user create attacker attacker@example.com --role=subscriber --user_pass=password - Plugin Data: Ensure the plugin options are populated.
wp option get gswoo_google_sheet_settings
7. Expected Results
- The AJAX response should return a success status (e.g.,
{"success":true}or1). - Following the request,
wp option get gswoo_google_sheet_settingsshould return an empty result or error, indicating the data was deleted.
8. Verification Steps
# Check if settings were cleared
wp option get gswoo_google_sheet_settings
wp option get gswoo_access_token
# If successful, these should be empty or return 'Error: Could not get option'
9. Alternative Approaches
If wp_ajax_gswoo_restore_action is not the correct name:
- Search for
restoreorresetstrings in the entire plugin directory. - Monitor network traffic while clicking the "Restore/Reset" button in the admin settings as an administrator to capture the exact parameters.
- Check if the function uses
$_POSTor$_REQUESTfor parameters and if it specifically targetsdelete_option.
Summary
The GSheet For Woo Importer plugin for WordPress is vulnerable to unauthorized data loss in versions up to, and including, 2.3.1. This is due to a missing capability check on the process_ajax_restore_action() function, which allows authenticated attackers with subscriber-level permissions or higher to reset plugin configurations and delete the Google Sheets API token.
Security Fix
@@ -8,7 +8,7 @@ * Plugin Name: GSheet For Woo Importer * Plugin URI: https://github.com/OlegApanovich/import-products-from-gsheet-for-woo-importer * Description: Import woocommerce products from google sheet by using native woocommerce importer - * Version: 2.4 + * Version: 2.4.1 * Author: Oleg Apanovich * Author URI: https://github.com/OlegApanovich * License: GPL-3.0+ @@ -4,7 +4,7 @@ Tags: woocommerce, importer, google sheet Requires at least: 5.9 Tested up to: 6.9 -Stable tag: 2.3 +Stable tag: 2.4.1 Requires PHP: 8.1 License: GPLv3 or later License URI: https://www.gnu.org/licenses/gpl-3.0.html
Exploit Outline
An attacker with Subscriber-level authentication can trigger a settings reset by sending a POST request to the WordPress AJAX endpoint (/wp-admin/admin-ajax.php) with the action 'gswoo_restore_action'. If a nonce check is implemented, the attacker can likely obtain the required nonce from the admin dashboard (e.g., via localized scripts in the dashboard source). Because the 'process_ajax_restore_action' function lacks a capability check (like 'current_user_can'), the server will proceed to delete sensitive configuration options including the Google Sheets API token and plugin settings upon receiving the request.
Check if your site is affected.
Run a free security audit to detect vulnerable plugins, outdated versions, and misconfigurations.