The vulnerability CVE-2026-1916 affects the WPGSI: Spreadsheet Integration plugin for WordPress, versions up to and including 3.8.3. It stems from missing authorization (CWE-862) on two REST API endpoints: `wpgsi_callBackFuncAccept` and `wpgsi_callBackFuncUpdate`. Both endpoints are configured with `permission_callback => '__return_true'`, effectively disabling any permission checks and allowing unauthenticated users to invoke these functions. The plugin attempts to validate requests using a custom token-based mechanism, which encodes a JSON object containing the user ID and email address in Base64. However, this token is not cryptographically signed or otherwise protected, making it trivial for attackers to forge tokens if they know or can guess the administrator’s email and an active integration ID. This weakness allows attackers to bypass authentication and authorization controls, enabling them to create, modify, or delete arbitrary WordPress posts and pages remotely. The vulnerability compromises the integrity of website content and could lead to defacement, misinformation, or disruption of business operations. The CVSS 3.1 score of 7.5 reflects the vulnerability’s high impact on integrity, ease of exploitation (no authentication or user interaction required), and network attack vector. Although no public exploits are currently known, the vulnerability’s nature makes it a prime target for attackers. The plugin’s widespread use in WordPress environments that rely on spreadsheet integration for content management increases the risk profile. The lack of cryptographic signing in the token mechanism is a critical design flaw that undermines the security model of the plugin’s REST API endpoints.

The primary impact of CVE-2026-1916 is unauthorized modification and deletion of WordPress content, which can severely affect the integrity of websites using the WPGSI plugin. Attackers can manipulate posts and pages, potentially leading to website defacement, misinformation dissemination, or disruption of normal business operations. This can damage organizational reputation, cause loss of customer trust, and result in financial losses. Since the vulnerability requires no authentication and can be exploited remotely, it poses a significant risk to any WordPress site using the affected plugin versions. The lack of integrity controls also raises concerns about potential use in broader attacks, such as implanting malicious content or backdoors. Although availability and confidentiality impacts are not directly indicated, the integrity compromise alone is critical for content-driven websites. Organizations relying on this plugin for content updates or integration with external systems may face operational disruptions. The vulnerability also increases the attack surface for threat actors targeting WordPress ecosystems, which are widely used globally.

Immediate mitigation steps include disabling or restricting access to the vulnerable REST API endpoints (`wpgsi_callBackFuncAccept` and `wpgsi_callBackFuncUpdate`) through web application firewalls (WAFs) or server-level access controls to prevent unauthenticated calls. Administrators should verify and limit knowledge of administrator email addresses and integration IDs to reduce token forgery risk. Monitoring REST API logs for unusual or unauthorized activity targeting these endpoints can help detect exploitation attempts early. If possible, temporarily uninstall or deactivate the WPGSI plugin until a secure patched version is released. Developers should implement proper authorization checks on all REST API endpoints, replacing `permission_callback => '__return_true'` with robust capability checks tied to authenticated user roles. The token validation mechanism must be redesigned to use cryptographically signed tokens (e.g., JWT with secret keys) to prevent forgery. Organizations should also ensure WordPress core and all plugins are kept up to date and conduct regular security audits of custom integrations. Applying principle of least privilege to all user roles and API access will further reduce risk.