What the vulnerability does
01Description
The GSheet For Woo Importer plugin for WordPress is vulnerable to unauthorized loss of data due to a missing capability check on the process_ajax_restore_action() function in all versions up to, and including, 2.3.1. This makes it possible for authenticated attackers, with Subscriber-level access and above, to delete the plugin's Google Sheets API token and configuration options.
Explanation of Vulnerability in Simple Terms
02Summary
GSheet For Woo Importer versions 2.3.1 and earlier lack proper authorization checks on certain functions. A logged-in user with low privileges can modify data they should not have access to. The vulnerability requires an active WordPress user account but no special interaction from the victim.
What an attacker can do
03Attacker Capabilities
Modify data in the WooCommerce store without proper permission checks.
Potential impact on your site
04Site Impact
Unauthorized users can alter WooCommerce product or import data, risking data integrity and store operations.
Conditions required to exploit
05Prerequisites
Attacker must have a low-privilege WordPress user account (e.g., subscriber or contributor).
Key dates
06Disclosure timeline
May 21, 2026
CVE published
May 22, 2026
Record updated