What the vulnerability does
01Description
The GSheetConnector For Ninja Forms plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the 'njform-google-sheet-config ' page in all versions up to, and including, 2.0.1. This makes it possible for authenticated attackers, with Subscriber-level access and above, to retrieve information about the system.
Explanation of Vulnerability in Simple Terms
02Summary
GSheetConnector For Ninja Forms versions 2.0.1 and earlier lack proper authorization checks, allowing authenticated users to access sensitive information they should not be able to view. A logged-in user with low privileges can read data without proper permission validation. The vulnerability affects the plugin's data handling between Google Sheets and Ninja Forms.
What an attacker can do
03Attacker Capabilities
Read sensitive data from Google Sheets connections without proper authorization.
Potential impact on your site
04Site Impact
Unauthorized users can access confidential form data and Google Sheets information connected via this plugin.
Conditions required to exploit
05Prerequisites
Attacker must be logged in to the WordPress site with at least a low-privilege account.
Key dates
06Disclosure timeline
November 22, 2025
CVE published
April 8, 2026
Record updated