CVE-2025-8593 HIGH

CVE-2025-8593: GSheetConnector For Gravity Forms <= 1.3.27 - Missing Authorization to Authenticated (Subscriber+) Arbitrary Plugin Installation

Vendor Westerndeal
Product GSheetConnector for Gravity Forms – Send Gravity Forms Entries to Google Sheets in Real-Time
Weakness CWE-862 · Missing authorization
Published October 11, 2025
Last update April 8, 2026

CVSS base score

8.8/10
Attack vector Network
Attack complexity Low
Privileges required Low
User interaction None
Confidentiality High
Integrity High

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

What the vulnerability does

01Description

The GSheetConnector For Gravity Forms plugin for WordPress is vulnerable to authorization bypass in versions less than, or equal to, 1.3.27. This is due to a missing capability check on the 'install_plugin' function. This makes it possible for authenticated attackers, with subscriber-level access and above to install plugins on the target site and potentially achieve arbitrary code execution on the server under certain conditions.

Explanation of Vulnerability in Simple Terms

02Summary

GSheetConnector for Gravity Forms versions up to 1.3.27 lack proper authorization checks, allowing authenticated users with low privileges to read, modify, or delete sensitive data. An attacker with a basic user account can access form entries, Google Sheets credentials, and configuration settings they should not be able to view or change. This affects all sites running the vulnerable plugin versions.

What an attacker can do

03Attacker Capabilities

Read, modify, or delete form entries and Google Sheets data without proper permission checks.

Potential impact on your site

04Site Impact

Form data and Google Sheets integrations are exposed to unauthorized access and modification by any logged-in user.

Conditions required to exploit

05Prerequisites

Attacker needs a low-privilege user account on the site (e.g., subscriber or contributor role).

Key dates

06Disclosure timeline

October 11, 2025 CVE published
April 8, 2026 Record updated

Related vulnerabilities

08Related CVE