[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$fwJxLffVbxLAuBQ5svZlmE_3cVmq3x71kzEcVFaIphIk":3},{"id":4,"url_slug":5,"title":6,"description":7,"plugin_slug":8,"theme_slug":9,"affected_versions":10,"patched_in_version":11,"severity":12,"cvss_score":13,"cvss_vector":14,"vuln_type":15,"published_date":16,"updated_date":17,"references":18,"days_to_patch":20,"patch_diff_files":21,"patch_trac_url":9,"research_status":24,"research_verified":25,"research_rounds_completed":26,"research_plan":27,"research_summary":28,"research_vulnerable_code":9,"research_fix_diff":29,"research_exploit_outline":30,"research_model_used":31,"research_started_at":32,"research_completed_at":33,"research_error":9,"poc_status":9,"poc_video_id":9,"poc_summary":9,"poc_steps":9,"poc_tested_at":9,"poc_wp_version":9,"poc_php_version":9,"poc_playwright_script":9,"poc_exploit_code":9,"poc_has_trace":25,"poc_model_used":9,"poc_verification_depth":9,"poc_exploit_code_gated":25,"source_links":34},"CVE-2026-4843","gsheet-for-woo-importer-missing-authorization-to-authenticated-subscriber-plugin-settings-reset","GSheet For Woo Importer \u003C= 2.3.1 - Missing Authorization to Authenticated (Subscriber+) Plugin Settings Reset","The GSheet For Woo Importer plugin for WordPress is vulnerable to unauthorized loss of data due to a missing capability check on the process_ajax_restore_action() function in all versions up to, and including, 2.3.1. This makes it possible for authenticated attackers, with Subscriber-level access and above, to delete the plugin's Google Sheets API token and configuration options.","import-products-from-gsheet-for-woo-importer",null,"\u003C=2.3.1","2.4.1","medium",4.3,"CVSS:3.1\u002FAV:N\u002FAC:L\u002FPR:L\u002FUI:N\u002FS:U\u002FC:N\u002FI:L\u002FA:N","Missing Authorization","2026-05-21 06:40:29","2026-05-21 19:29:12",[19],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002Fb0d60991-0675-4efa-9427-380e6b59fe28?source=api-prod",1,[22,23],"README.txt","import-products-from-gsheet-for-woo-importer.php","researched",false,3,"# Exploitation Research Plan - CVE-2026-4843\n\n## 1. Vulnerability Summary\nThe **GSheet For Woo Importer** plugin (up to version 2.3.1) is vulnerable to unauthorized data loss. The class `GSWOO\\Actions\\AdminSettingsAction` registers an AJAX handler `process_ajax_restore_action()` via the `wp_ajax_` hook. Because this handler fails to implement a capability check (e.g., `current_user_can( 'manage_options' )`), any authenticated user, including those with Subscriber-level permissions, can trigger the function. The function's purpose is to reset plugin configurations, effectively deleting the Google Sheets API token and connection settings, which disrupts the plugin's core functionality.\n\n## 2. Attack Vector Analysis\n- **Endpoint:** `\u002Fwp-admin\u002Fadmin-ajax.php`\n- **Action:** Likely `gswoo_restore_action` (to be confirmed from `AdminSettingsAction.php`)\n- **HTTP Method:** `POST`\n- **Authentication:** Required (Subscriber or higher)\n- **Parameters:**\n    - `action`: The AJAX action string.\n    - `security`\u002F`_ajax_nonce`: (If implemented) A nonce for CSRF protection.\n- **Preconditions:** The plugin must be configured with an API token or settings for the \"reset\" to be impactful.\n\n## 3. Code Flow\n1. **Initialization:** `GSWOO_Plugin::__construct` calls `init_actions()`.\n2. **Action Registration:** `init_actions()` instantiates `GSWOO\\Actions\\AdminSettingsAction`.\n3. **Hooking:** Inside `AdminSettingsAction`, a hook is registered: `add_action( 'wp_ajax_gswoo_restore_action', [ $this, 'process_ajax_restore_action' ] );`.\n4. **Processing:** When a Subscriber sends a POST request to `admin-ajax.php` with `action=gswoo_restore_action`:\n    - WordPress identifies the user as authenticated.\n    - WordPress executes the callback `process_ajax_restore_action()`.\n    - The function fails to check the user's capabilities.\n    - The function proceeds to call `delete_option()` or `update_option()` on sensitive keys like `gswoo_google_sheet_settings` or `gswoo_access_token`.\n\n## 4. Nonce Acquisition Strategy\nIf the function uses `check_ajax_referer`, we must find where the nonce is generated.\n1. **Identify Nonce Registration:** Look for `wp_localize_script` in `includes\u002FActions\u002FAdminSettingsAction.php` (or similar).\n2. **Determine Scope:** If the script is enqueued using the `admin_enqueue_scripts` hook without checking the page slug, the nonce will be visible to a Subscriber on any admin page (e.g., `\u002Fwp-admin\u002Fprofile.php` or `\u002Fwp-admin\u002Findex.php`).\n3. **Extraction:**\n    - Navigate to `\u002Fwp-admin\u002Findex.php` as a Subscriber.\n    - Use `browser_eval` to extract the nonce:\n      `browser_eval(\"window.gswoo_admin_params?.nonce\")` (Variable names are inferred and must be verified in the source).\n\n## 5. Exploitation Strategy\n\n### Step 1: Preliminary Analysis\nConfirm the exact AJAX action and nonce name.\n```bash\n# Locate the settings action file\nfind . -name \"AdminSettingsAction.php\"\n\n# Find the AJAX action name\ngrep -r \"wp_ajax_\" .\n\n# Find the implementation of process_ajax_restore_action\ngrep -n \"function process_ajax_restore_action\" -A 20 includes\u002FActions\u002FAdminSettingsAction.php\n```\n\n### Step 2: Setup Settings\nAs an admin, save dummy settings so there is something to delete.\n```bash\nwp option update gswoo_google_sheet_settings '{\"client_id\":\"test_id\",\"client_secret\":\"test_secret\"}' --format=json\nwp option update gswoo_access_token 'test_token'\n```\n\n### Step 3: Extract Nonce (if applicable)\nIf the code reveals a nonce check:\n1. Log in as Subscriber.\n2. Navigate to `\u002Fwp-admin\u002Findex.php`.\n3. Extract nonce from the identified JS global variable.\n\n### Step 4: Execute Reset\nSend the unauthorized request as the Subscriber.\n\n**Request Template:**\n- **URL:** `http:\u002F\u002Flocalhost:8080\u002Fwp-admin\u002Fadmin-ajax.php`\n- **Method:** `POST`\n- **Content-Type:** `application\u002Fx-www-form-urlencoded`\n- **Body:** `action=[ACTION_NAME]&security=[NONCE]`\n\n### Step 5: Verification\nCheck if the options still exist.\n\n## 6. Test Data Setup\n1. **User:** Create a subscriber user.\n   `wp user create attacker attacker@example.com --role=subscriber --user_pass=password`\n2. **Plugin Data:** Ensure the plugin options are populated.\n   `wp option get gswoo_google_sheet_settings`\n\n## 7. Expected Results\n- The AJAX response should return a success status (e.g., `{\"success\":true}` or `1`).\n- Following the request, `wp option get gswoo_google_sheet_settings` should return an empty result or error, indicating the data was deleted.\n\n## 8. Verification Steps\n```bash\n# Check if settings were cleared\nwp option get gswoo_google_sheet_settings\nwp option get gswoo_access_token\n\n# If successful, these should be empty or return 'Error: Could not get option'\n```\n\n## 9. Alternative Approaches\nIf `wp_ajax_gswoo_restore_action` is not the correct name:\n- Search for `restore` or `reset` strings in the entire plugin directory.\n- Monitor network traffic while clicking the \"Restore\u002FReset\" button in the admin settings as an administrator to capture the exact parameters.\n- Check if the function uses `$_POST` or `$_REQUEST` for parameters and if it specifically targets `delete_option`.","The GSheet For Woo Importer plugin for WordPress is vulnerable to unauthorized data loss in versions up to, and including, 2.3.1. This is due to a missing capability check on the process_ajax_restore_action() function, which allows authenticated attackers with subscriber-level permissions or higher to reset plugin configurations and delete the Google Sheets API token.","diff -ru \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fimport-products-from-gsheet-for-woo-importer\u002F2.4\u002Fimport-products-from-gsheet-for-woo-importer.php \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fimport-products-from-gsheet-for-woo-importer\u002F2.4.1\u002Fimport-products-from-gsheet-for-woo-importer.php\n--- \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fimport-products-from-gsheet-for-woo-importer\u002F2.4\u002Fimport-products-from-gsheet-for-woo-importer.php\t2026-04-19 08:17:58.000000000 +0000\n+++ \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fimport-products-from-gsheet-for-woo-importer\u002F2.4.1\u002Fimport-products-from-gsheet-for-woo-importer.php\t2026-04-23 06:40:18.000000000 +0000\n@@ -8,7 +8,7 @@\n  * Plugin Name: GSheet For Woo Importer\n  * Plugin URI:  https:\u002F\u002Fgithub.com\u002FOlegApanovich\u002Fimport-products-from-gsheet-for-woo-importer\n  * Description: Import woocommerce products from google sheet by using native woocommerce importer\n- * Version:     2.4\n+ * Version:     2.4.1\n  * Author:      Oleg Apanovich\n  * Author URI:  https:\u002F\u002Fgithub.com\u002FOlegApanovich\n  * License:     GPL-3.0+\ndiff -ru \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fimport-products-from-gsheet-for-woo-importer\u002F2.4\u002FREADME.txt \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fimport-products-from-gsheet-for-woo-importer\u002F2.4.1\u002FREADME.txt\n--- \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fimport-products-from-gsheet-for-woo-importer\u002F2.4\u002FREADME.txt\t2026-04-19 08:17:58.000000000 +0000\n+++ \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fimport-products-from-gsheet-for-woo-importer\u002F2.4.1\u002FREADME.txt\t2026-04-23 06:40:18.000000000 +0000\n@@ -4,7 +4,7 @@\n Tags: woocommerce, importer, google sheet\n Requires at least: 5.9\n Tested up to: 6.9\n-Stable tag: 2.3\n+Stable tag: 2.4.1\n Requires PHP: 8.1\n License: GPLv3 or later\n License URI: https:\u002F\u002Fwww.gnu.org\u002Flicenses\u002Fgpl-3.0.html","An attacker with Subscriber-level authentication can trigger a settings reset by sending a POST request to the WordPress AJAX endpoint (\u002Fwp-admin\u002Fadmin-ajax.php) with the action 'gswoo_restore_action'. If a nonce check is implemented, the attacker can likely obtain the required nonce from the admin dashboard (e.g., via localized scripts in the dashboard source). Because the 'process_ajax_restore_action' function lacks a capability check (like 'current_user_can'), the server will proceed to delete sensitive configuration options including the Google Sheets API token and plugin settings upon receiving the request.","gemini-3-flash-preview","2026-06-04 22:16:04","2026-06-04 22:16:44",{"type":35,"vulnerable_version":36,"fixed_version":11,"vulnerable_browse":37,"vulnerable_zip":38,"fixed_browse":39,"fixed_zip":40,"all_tags":41},"plugin","2.4","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fimport-products-from-gsheet-for-woo-importer\u002Ftags\u002F2.4","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fimport-products-from-gsheet-for-woo-importer.2.4.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fimport-products-from-gsheet-for-woo-importer\u002Ftags\u002F2.4.1","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fimport-products-from-gsheet-for-woo-importer.2.4.1.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fimport-products-from-gsheet-for-woo-importer\u002Ftags"]