CVE-2025-67570 identifies a missing authorization vulnerability in the GSheetConnector by WesternDeal, a plugin that integrates WPForms with Google Sheets. This vulnerability arises from improperly configured access control security levels, allowing unauthenticated remote attackers to perform actions that should require authorization. Specifically, the plugin fails to verify whether the requester has the necessary permissions before processing requests that interact with Google Sheets. The affected versions include all releases up to and including 4.0.0. The vulnerability has a CVSS v3.1 base score of 5.3, reflecting a medium severity level. The vector indicates network attack vector (AV:N), low attack complexity (AC:L), no privileges required (PR:N), no user interaction (UI:N), unchanged scope (S:U), no confidentiality impact (C:N), low integrity impact (I:L), and no availability impact (A:N). This means an attacker can remotely exploit the flaw without authentication or user interaction to alter data integrity, such as modifying or injecting data into Google Sheets linked via the plugin. No public exploits or patches are currently available, and the vulnerability was published on December 9, 2025. The issue is critical for environments relying on the plugin for data collection and processing, as unauthorized data manipulation could undermine business processes and reporting accuracy.

For European organizations, the missing authorization vulnerability poses a risk primarily to data integrity within workflows that use WPForms integrated with Google Sheets via the GSheetConnector plugin. Attackers could inject or alter data without authentication, potentially corrupting business records, financial data, or customer information stored or processed through these sheets. This could lead to erroneous decision-making, compliance violations, and reputational damage. Since the vulnerability does not impact confidentiality or availability, direct data breaches or service outages are less likely. However, the integrity compromise can have cascading effects, especially in sectors like finance, healthcare, and government where data accuracy is critical. Organizations using WordPress sites with this plugin are at risk, particularly if the plugin is exposed to the internet without additional access controls. The lack of known exploits in the wild reduces immediate risk but does not eliminate the threat, especially as attackers may develop exploits post-disclosure.

1. Monitor official sources for patches or updates from WesternDeal or WPForms and apply them promptly once released. 2. Until patches are available, restrict access to the WordPress admin and plugin endpoints using IP whitelisting, VPNs, or web application firewalls (WAFs) to limit exposure. 3. Implement strict role-based access controls within WordPress to minimize the number of users who can interact with the plugin. 4. Audit and monitor logs for unusual activity related to the plugin, such as unexpected API calls or data changes in connected Google Sheets. 5. Consider disabling or uninstalling the GSheetConnector plugin if it is not essential, or replace it with alternative solutions that have verified secure authorization controls. 6. Educate administrators about the risks of unauthorized plugin access and enforce strong authentication mechanisms (e.g., MFA) for WordPress accounts. 7. Regularly back up Google Sheets data and WordPress configurations to enable recovery from potential data integrity incidents.