CVE-2026-1916: CWE-862 Missing Authorization in javmah WPGSI: Spreadsheet Integration
The WPGSI: Spreadsheet Integration plugin for WordPress is vulnerable to unauthorized modification and loss of data due to missing capability checks and an insecure authentication mechanism on the `wpgsi_callBackFuncAccept` and `wpgsi_callBackFuncUpdate` REST API functions in all versions up to, and including, 3.8.3. Both REST endpoints use `permission_callback => '__return_true'`, allowing unauthenticated access. The plugin's custom token-based validation relies on a Base64-encoded JSON object containing the user ID and email address, but is not cryptographically signed. This makes it possible for unauthenticated attackers to forge tokens using publicly enumerable information (admin user ID and email) to create, modify, and delete arbitrary WordPress posts and pages, granted they know the administrator's email address and an active integration ID with remote updates enabled.
AI Analysis
Technical Summary
CVE-2026-1916 is a missing authorization vulnerability (CWE-862) in the WPGSI: Spreadsheet Integration WordPress plugin. The REST API functions `wpgsi_callBackFuncAccept` and `wpgsi_callBackFuncUpdate` use `permission_callback => '__return_true'`, allowing unauthenticated access. The plugin relies on a custom token-based validation using a Base64-encoded JSON object containing user ID and email, but this token is not cryptographically signed, making it forgeable. An attacker with knowledge of the administrator's email and an active integration ID can create, modify, or delete arbitrary WordPress posts and pages.
Potential Impact
The vulnerability allows unauthenticated attackers to perform unauthorized modifications to WordPress content, specifically creating, updating, or deleting posts and pages. This can lead to significant integrity issues within the affected WordPress site. There is no direct confidentiality or availability impact noted. No known exploits in the wild have been reported as of the publication date.
Mitigation Recommendations
No official patch or fix is currently available for this vulnerability. Users should monitor the vendor's advisory for updates. Until a fix is released, restricting access to the affected REST API endpoints via web application firewall rules or disabling the plugin if not required may reduce exposure. Verify and limit knowledge of administrator email addresses and integration IDs to trusted personnel only. Patch status is not yet confirmed — check the vendor advisory for current remediation guidance.
CVE-2026-1916: CWE-862 Missing Authorization in javmah WPGSI: Spreadsheet Integration
Description
The WPGSI: Spreadsheet Integration plugin for WordPress is vulnerable to unauthorized modification and loss of data due to missing capability checks and an insecure authentication mechanism on the `wpgsi_callBackFuncAccept` and `wpgsi_callBackFuncUpdate` REST API functions in all versions up to, and including, 3.8.3. Both REST endpoints use `permission_callback => '__return_true'`, allowing unauthenticated access. The plugin's custom token-based validation relies on a Base64-encoded JSON object containing the user ID and email address, but is not cryptographically signed. This makes it possible for unauthenticated attackers to forge tokens using publicly enumerable information (admin user ID and email) to create, modify, and delete arbitrary WordPress posts and pages, granted they know the administrator's email address and an active integration ID with remote updates enabled.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
CVE-2026-1916 is a missing authorization vulnerability (CWE-862) in the WPGSI: Spreadsheet Integration WordPress plugin. The REST API functions `wpgsi_callBackFuncAccept` and `wpgsi_callBackFuncUpdate` use `permission_callback => '__return_true'`, allowing unauthenticated access. The plugin relies on a custom token-based validation using a Base64-encoded JSON object containing user ID and email, but this token is not cryptographically signed, making it forgeable. An attacker with knowledge of the administrator's email and an active integration ID can create, modify, or delete arbitrary WordPress posts and pages.
Potential Impact
The vulnerability allows unauthenticated attackers to perform unauthorized modifications to WordPress content, specifically creating, updating, or deleting posts and pages. This can lead to significant integrity issues within the affected WordPress site. There is no direct confidentiality or availability impact noted. No known exploits in the wild have been reported as of the publication date.
Mitigation Recommendations
No official patch or fix is currently available for this vulnerability. Users should monitor the vendor's advisory for updates. Until a fix is released, restricting access to the affected REST API endpoints via web application firewall rules or disabling the plugin if not required may reduce exposure. Verify and limit knowledge of administrator email addresses and integration IDs to trusted personnel only. Patch status is not yet confirmed — check the vendor advisory for current remediation guidance.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- Wordfence
- Date Reserved
- 2026-02-04T15:54:39.204Z
- Cvss Version
- 3.1
- State
- PUBLISHED
Threat ID: 699eb5bab7ef31ef0bee1257
Added to database: 2/25/2026, 8:41:30 AM
Last enriched: 4/9/2026, 6:36:09 PM
Last updated: 4/11/2026, 12:46:32 PM
Views: 95
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.