CVE-2025-67979 CRITICAL

CVE-2025-67979: WordPress WPForms Google Sheet Connector plugin <= 4.0.1 - Remote Code Execution (RCE) vulnerability

Vendor Westerndeal
Product WPForms Google Sheet Connector
Weakness CWE-94 · Code injection
Published February 20, 2026
Last update April 28, 2026

CVSS base score

9.9/10
Attack vector Network
Attack complexity Low
Privileges required Low
User interaction None
Confidentiality High
Integrity High

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

What the vulnerability does

01Description

Improper Control of Generation of Code ('Code Injection') vulnerability in WesternDeal WPForms Google Sheet Connector gsheetconnector-wpforms allows Code Injection.This issue affects WPForms Google Sheet Connector: from n/a through <= 4.0.1.

Explanation of Vulnerability in Simple Terms

02Summary

WPForms Google Sheet Connector versions 4.0.1 and earlier allow authenticated users with low privileges to inject and execute arbitrary code on the site. The vulnerability affects the entire system due to scope change. An attacker can read sensitive data, modify site content, or disrupt service availability.

What an attacker can do

03Attacker Capabilities

Run arbitrary code on the site, read sensitive data, modify content, or disable the site.

Potential impact on your site

04Site Impact

Any low-privilege user account can compromise the entire WordPress installation and access all data.

Conditions required to exploit

05Prerequisites

Attacker must have a low-privilege user account (e.g., subscriber or contributor role).

Key dates

06Disclosure timeline

February 20, 2026 CVE published
April 28, 2026 Record updated

Related vulnerabilities

08Related CVE