CVE-2024-12164 identifies a missing authorization vulnerability (CWE-862) in the WPSyncSheets Lite For WPForms – WPForms Google Spreadsheet Addon plugin for WordPress, affecting all versions up to and including 1.6. The vulnerability stems from the wpsslwp_reset_settings() function lacking a proper capability check, which means that any authenticated user with at least Subscriber-level privileges can invoke this function to reset the plugin's settings without appropriate permissions. This unauthorized modification can disrupt the plugin's intended operation, potentially leading to misconfigurations or enabling further exploitation vectors if attackers manipulate settings to weaken security controls. The vulnerability is remotely exploitable over the network without requiring user interaction, but it does require the attacker to have an authenticated account on the WordPress site. The CVSS v3.1 base score is 4.3 (medium severity), reflecting the limited impact on confidentiality and availability but acknowledging the integrity impact due to unauthorized changes. No patches or exploit code are currently publicly available, and no known active exploitation has been reported. The vulnerability affects a niche plugin used to synchronize WPForms data with Google Spreadsheets, which is popular among WordPress users who integrate form data with spreadsheets for automation or reporting purposes.

The primary impact of this vulnerability is unauthorized modification of plugin settings, which can lead to disruption of data synchronization between WPForms and Google Spreadsheets. Although it does not directly expose sensitive data or cause denial of service, attackers with low-level authenticated access can alter configurations, potentially disabling logging, changing data export parameters, or corrupting integration workflows. This can degrade business processes relying on accurate form data collection and reporting. Additionally, altered settings could be leveraged as a foothold for further attacks if attackers manipulate plugin behavior to escalate privileges or inject malicious payloads. Organizations relying on this plugin for critical data workflows may experience operational interruptions or data integrity issues. Since the vulnerability requires authenticated access, the risk is higher in environments with weak user management or where subscriber accounts are easily compromised or created.

To mitigate this vulnerability, organizations should immediately update the WPSyncSheets Lite For WPForms plugin to a patched version once available from the vendor. Until a patch is released, restrict user roles and permissions to limit Subscriber-level access to trusted users only. Implement strict user account management policies, including multi-factor authentication and regular review of user privileges. Monitor WordPress logs for unusual activity related to plugin settings changes or reset functions. Consider disabling or uninstalling the plugin if it is not essential to reduce attack surface. Additionally, use WordPress security plugins that can enforce capability checks or block unauthorized REST API calls targeting plugin functions. Regular backups of plugin settings and form data should be maintained to enable quick recovery from unauthorized modifications. Finally, educate site administrators about the risks of granting unnecessary access to low-privilege users.