What the vulnerability does
01Description
Improper Control of Generation of Code ('Code Injection') vulnerability in WesternDeal WPForms Google Sheet Connector gsheetconnector-wpforms allows Code Injection.This issue affects WPForms Google Sheet Connector: from n/a through <= 4.0.1.
Explanation of Vulnerability in Simple Terms
02Summary
WPForms Google Sheet Connector versions 4.0.1 and earlier allow authenticated users with low privileges to inject and execute arbitrary code on the site. The vulnerability affects the entire system due to scope change. An attacker can read sensitive data, modify site content, or disrupt service availability.
What an attacker can do
03Attacker Capabilities
Run arbitrary code on the site, read sensitive data, modify content, or disable the site.
Potential impact on your site
04Site Impact
Any low-privilege user account can compromise the entire WordPress installation and access all data.
Conditions required to exploit
05Prerequisites
Attacker must have a low-privilege user account (e.g., subscriber or contributor role).
Key dates
06Disclosure timeline
February 20, 2026
CVE published
April 28, 2026
Record updated