WPGSI Spreadsheet Integration WordPress Plugin Data Manipulation Vulnerability

A vulnerability in the WPGSI: Spreadsheet Integration plugin for WordPress allows unauthorized users to modify and delete data. This issue arises from inadequate capability checks and a flawed authentication process in the `wpgsi_callBackFuncAccept` and `wpgsi_callBackFuncUpdate` REST API functions, affecting all versions up to and including 3.8.3. Both endpoints grant unauthenticated access by using `permission_callback => '__return_true'`, and the plugin's custom token validation is based on a Base64-encoded JSON object containing the user ID and email, which is not cryptographically signed. As a result, attackers can forge tokens with publicly available information (admin user ID and email) to create, update, or delete any WordPress posts or pages, provided they have the administrator's email and an active integration ID with remote updates enabled.

Impact

Exploitation of this vulnerability could lead to unauthorized changes or deletions of WordPress posts and pages.

Reproduction

The vulnerability can be reproduced by sending a POST request to the `wp-json/wpgsi/update` endpoint with a forged token. The token must be Base64-encoded and include the user ID and email address of an admin user. Once the token is accepted, the `sheetData` parameter can be used to specify the data to be written, allowing for the creation or modification of posts and pages. To delete a post or page, the corresponding post ID must be included in the `sheetData` parameter.

Remediation

Users can update to WPGSI: Spreadsheet Integration version 3.8.4 or later, where this vulnerability has been addressed.