CVE-2026-1916

Name of the Vulnerable Software and Affected Versions WPGSI: Spreadsheet Integration plugin for WordPress versions through 3.8.3

Description The WPGSI: Spreadsheet Integration plugin for WordPress is susceptible to unauthorized modification and data loss. This is due to the absence of proper capability checks and a weak authentication method. The REST API functions wpgsi callBackFuncAccept and wpgsi callBackFuncUpdate lack authentication, allowing unauthenticated access because they use permission callback => ' return true'. The plugin employs a custom token-based validation system that relies on Base64-encoded JSON objects containing the user ID and email address, but this system is not cryptographically secured. Attackers can forge tokens using publicly available information—specifically, the administrator's email address and an active integration ID—to create, modify, and delete WordPress posts and pages when remote updates are enabled.

Recommendations Update to a version beyond 3.8.3.