CVE-2026-1916 - Vulnerability Details

Link	Providers
https://plugins.trac.wordpress.org/browser/wpgsi/tags/3.8.3/admin/class-wpgsi-update.php#L116
https://plugins.trac.wordpress.org/browser/wpgsi/tags/3.8.3/admin/class-wpgsi-update.php#L636
https://plugins.trac.wordpress.org/browser/wpgsi/tags/3.8.3/admin/class-wpgsi-update.php#L94
https://plugins.trac.wordpress.org/browser/wpgsi/trunk/admin/class-wpgsi-update.php#L116
https://plugins.trac.wordpress.org/browser/wpgsi/trunk/admin/class-wpgsi-update.php#L636
https://plugins.trac.wordpress.org/browser/wpgsi/trunk/admin/class-wpgsi-update.php#L94
https://plugins.trac.wordpress.org/changeset/3461326/wpgsi/trunk/admin/class-wpgsi-update.php
https://www.wordfence.com/threat-intel/vulnerabilities/id/7598b38b-26b1-4640-9bd7-60613a5f704d?source=cve

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Type	Values Removed	Values Added
Description		The WPGSI: Spreadsheet Integration plugin for WordPress is vulnerable to unauthorized modification and loss of data due to missing capability checks and an insecure authentication mechanism on the `wpgsi_callBackFuncAccept` and `wpgsi_callBackFuncUpdate` REST API functions in all versions up to, and including, 3.8.3. Both REST endpoints use `permission_callback => '__return_true'`, allowing unauthenticated access. The plugin's custom token-based validation relies on a Base64-encoded JSON object containing the user ID and email address, but is not cryptographically signed. This makes it possible for unauthenticated attackers to forge tokens using publicly enumerable information (admin user ID and email) to create, modify, and delete arbitrary WordPress posts and pages, granted they know the administrator's email address and an active integration ID with remote updates enabled.
Title		WPGSI: Spreadsheet Integration <= 3.8.3 - Missing Authorization to Unauthenticated Arbitrary Post Creation and Deletion via Forged Base64 Token
Weaknesses		CWE-862
References		https://plugins.trac.wordpress.org/browser/wpgsi/tags/3.8.3/admin/class-wpgsi-update.php#L116 https://plugins.trac.wordpress.org/browser/wpgsi/tags/3.8.3/admin/class-wpgsi-update.php#L636 https://plugins.trac.wordpress.org/browser/wpgsi/tags/3.8.3/admin/class-wpgsi-update.php#L94 https://plugins.trac.wordpress.org/browser/wpgsi/trunk/admin/class-wpgsi-update.php#L116 https://plugins.trac.wordpress.org/browser/wpgsi/trunk/admin/class-wpgsi-update.php#L636 https://plugins.trac.wordpress.org/browser/wpgsi/trunk/admin/class-wpgsi-update.php#L94 https://plugins.trac.wordpress.org/changeset/3461326/wpgsi/trunk/admin/class-wpgsi-update.php https://www.wordfence.com/threat-intel/vulnerabilities/id/7598b38b-26b1-4640-9bd7-60613a5f704d?source=cve
Metrics		cvssV3_1 `{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N'}`

{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-1916", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2026-02-04T15:54:39.204Z", "datePublished": "2026-02-25T08:25:31.051Z", "dateUpdated": "2026-02-25T16:50:00.569Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-02-25T08:25:31.051Z"}, "affected": [{"vendor": "javmah", "product": "WPGSI: Spreadsheet Integration", "versions": [{"version": "*", "status": "affected", "lessThanOrEqual": "3.8.3", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The WPGSI: Spreadsheet Integration plugin for WordPress is vulnerable to unauthorized modification and loss of data due to missing capability checks and an insecure authentication mechanism on the `wpgsi_callBackFuncAccept` and `wpgsi_callBackFuncUpdate` REST API functions in all versions up to, and including, 3.8.3. Both REST endpoints use `permission_callback => '__return_true'`, allowing unauthenticated access. The plugin's custom token-based validation relies on a Base64-encoded JSON object containing the user ID and email address, but is not cryptographically signed. This makes it possible for unauthenticated attackers to forge tokens using publicly enumerable information (admin user ID and email) to create, modify, and delete arbitrary WordPress posts and pages, granted they know the administrator's email address and an active integration ID with remote updates enabled."}], "title": "WPGSI: Spreadsheet Integration <= 3.8.3 - Missing Authorization to Unauthenticated Arbitrary Post Creation and Deletion via Forged Base64 Token", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/7598b38b-26b1-4640-9bd7-60613a5f704d?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/wpgsi/tags/3.8.3/admin/class-wpgsi-update.php#L94"}, {"url": "https://plugins.trac.wordpress.org/browser/wpgsi/tags/3.8.3/admin/class-wpgsi-update.php#L116"}, {"url": "https://plugins.trac.wordpress.org/browser/wpgsi/tags/3.8.3/admin/class-wpgsi-update.php#L636"}, {"url": "https://plugins.trac.wordpress.org/browser/wpgsi/trunk/admin/class-wpgsi-update.php#L94"}, {"url": "https://plugins.trac.wordpress.org/browser/wpgsi/trunk/admin/class-wpgsi-update.php#L116"}, {"url": "https://plugins.trac.wordpress.org/browser/wpgsi/trunk/admin/class-wpgsi-update.php#L636"}, {"url": "https://plugins.trac.wordpress.org/changeset/3461326/wpgsi/trunk/admin/class-wpgsi-update.php"}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-862 Missing Authorization", "cweId": "CWE-862", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N", "baseScore": 7.5, "baseSeverity": "HIGH"}}], "credits": [{"lang": "en", "type": "finder", "value": "Osvaldo Noe Gonzalez Del Rio"}], "timeline": [{"time": "2026-02-04T16:09:49.000Z", "lang": "en", "value": "Vendor Notified"}, {"time": "2026-02-24T19:34:56.000Z", "lang": "en", "value": "Disclosed"}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-02-25T16:45:00.950996Z", "id": "CVE-2026-1916", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-25T16:50:00.569Z"}}]}}

{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-1916", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2026-02-04T15:54:39.204Z", "datePublished": "2026-02-25T08:25:31.051Z", "dateUpdated": "2026-02-25T16:50:00.569Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-02-25T08:25:31.051Z"}, "affected": [{"vendor": "javmah", "product": "WPGSI: Spreadsheet Integration", "versions": [{"version": "*", "status": "affected", "lessThanOrEqual": "3.8.3", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The WPGSI: Spreadsheet Integration plugin for WordPress is vulnerable to unauthorized modification and loss of data due to missing capability checks and an insecure authentication mechanism on the `wpgsi_callBackFuncAccept` and `wpgsi_callBackFuncUpdate` REST API functions in all versions up to, and including, 3.8.3. Both REST endpoints use `permission_callback => '__return_true'`, allowing unauthenticated access. The plugin's custom token-based validation relies on a Base64-encoded JSON object containing the user ID and email address, but is not cryptographically signed. This makes it possible for unauthenticated attackers to forge tokens using publicly enumerable information (admin user ID and email) to create, modify, and delete arbitrary WordPress posts and pages, granted they know the administrator's email address and an active integration ID with remote updates enabled."}], "title": "WPGSI: Spreadsheet Integration <= 3.8.3 - Missing Authorization to Unauthenticated Arbitrary Post Creation and Deletion via Forged Base64 Token", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/7598b38b-26b1-4640-9bd7-60613a5f704d?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/wpgsi/tags/3.8.3/admin/class-wpgsi-update.php#L94"}, {"url": "https://plugins.trac.wordpress.org/browser/wpgsi/tags/3.8.3/admin/class-wpgsi-update.php#L116"}, {"url": "https://plugins.trac.wordpress.org/browser/wpgsi/tags/3.8.3/admin/class-wpgsi-update.php#L636"}, {"url": "https://plugins.trac.wordpress.org/browser/wpgsi/trunk/admin/class-wpgsi-update.php#L94"}, {"url": "https://plugins.trac.wordpress.org/browser/wpgsi/trunk/admin/class-wpgsi-update.php#L116"}, {"url": "https://plugins.trac.wordpress.org/browser/wpgsi/trunk/admin/class-wpgsi-update.php#L636"}, {"url": "https://plugins.trac.wordpress.org/changeset/3461326/wpgsi/trunk/admin/class-wpgsi-update.php"}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-862 Missing Authorization", "cweId": "CWE-862", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N", "baseScore": 7.5, "baseSeverity": "HIGH"}}], "credits": [{"lang": "en", "type": "finder", "value": "Osvaldo Noe Gonzalez Del Rio"}], "timeline": [{"time": "2026-02-04T16:09:49.000Z", "lang": "en", "value": "Vendor Notified"}, {"time": "2026-02-24T19:34:56.000Z", "lang": "en", "value": "Disclosed"}]}, "adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-1916", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-02-25T16:45:00.950996Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-25T16:49:53.672Z"}}]}}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "The WPGSI: Spreadsheet Integration plugin for WordPress is vulnerable to unauthorized modification and loss of data due to missing capability checks and an insecure authentication mechanism on the `wpgsi_callBackFuncAccept` and `wpgsi_callBackFuncUpdate` REST API functions in all versions up to, and including, 3.8.3. Both REST endpoints use `permission_callback => '__return_true'`, allowing unauthenticated access. The plugin's custom token-based validation relies on a Base64-encoded JSON object containing the user ID and email address, but is not cryptographically signed. This makes it possible for unauthenticated attackers to forge tokens using publicly enumerable information (admin user ID and email) to create, modify, and delete arbitrary WordPress posts and pages, granted they know the administrator's email address and an active integration ID with remote updates enabled."}], "id": "CVE-2026-1916", "lastModified": "2026-02-25T14:15:29.980", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "security@wordfence.com", "type": "Primary"}]}, "published": "2026-02-25T09:16:14.943", "references": [{"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/wpgsi/tags/3.8.3/admin/class-wpgsi-update.php#L116"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/wpgsi/tags/3.8.3/admin/class-wpgsi-update.php#L636"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/wpgsi/tags/3.8.3/admin/class-wpgsi-update.php#L94"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/wpgsi/trunk/admin/class-wpgsi-update.php#L116"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/wpgsi/trunk/admin/class-wpgsi-update.php#L636"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/wpgsi/trunk/admin/class-wpgsi-update.php#L94"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/changeset/3461326/wpgsi/trunk/admin/class-wpgsi-update.php"}, {"source": "security@wordfence.com", "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/7598b38b-26b1-4640-9bd7-60613a5f704d?source=cve"}], "sourceIdentifier": "security@wordfence.com", "vulnStatus": "Awaiting Analysis", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-862"}], "source": "security@wordfence.com", "type": "Primary"}]}

Metrics

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact High

Availability Impact None

User Interaction None

Exploitation none

Automatable yes

Technical Impact partial

Affected Vendors & Products