What the vulnerability does
01Description
The GSheetConnector For Gravity Forms plugin for WordPress is vulnerable to authorization bypass in versions less than, or equal to, 1.3.27. This is due to a missing capability check on the 'install_plugin' function. This makes it possible for authenticated attackers, with subscriber-level access and above to install plugins on the target site and potentially achieve arbitrary code execution on the server under certain conditions.
Explanation of Vulnerability in Simple Terms
02Summary
GSheetConnector for Gravity Forms versions up to 1.3.27 lack proper authorization checks, allowing authenticated users with low privileges to read, modify, or delete sensitive data. An attacker with a basic user account can access form entries, Google Sheets credentials, and configuration settings they should not be able to view or change. This affects all sites running the vulnerable plugin versions.
What an attacker can do
03Attacker Capabilities
Read, modify, or delete form entries and Google Sheets data without proper permission checks.
Potential impact on your site
04Site Impact
Form data and Google Sheets integrations are exposed to unauthorized access and modification by any logged-in user.
Conditions required to exploit
05Prerequisites
Attacker needs a low-privilege user account on the site (e.g., subscriber or contributor role).
Key dates
06Disclosure timeline
October 11, 2025
CVE published
April 8, 2026
Record updated