GSheetConnector For Gravity Forms < 1.3.28 – Missing Authorization to Authenticated (Subscriber+) Arbitrary Plugin Installation | CVE 2025-8593 | Plugin Vulnerabilities

Description

The GSheetConnector For Gravity Forms plugin for WordPress is vulnerable to authorization bypass in versions less than, or equal to, 1.3.27. This is due to a missing capability check on the 'install_plugin' function. This makes it possible for authenticated attackers, with subscriber-level access and above to install plugins on the target site and potentially achieve arbitrary code execution on the server under certain conditions.

Affects Plugins

gsheetconnector-gravity-forms

Fixed in 1.3.28

References

CVE

URL

https://www.wordfence.com/threat-intel/vulnerabilities/id/c7266ce6-2853-4c5d-9e36-8c5b7418b072

Classification

Type

NO AUTHORISATION

OWASP top 10

A5: Broken Access Control

CWE

CVSS

Miscellaneous

Original Researcher

wesley (wcraft)

Verified

No

WPVDB ID

26729860-3645-412e-93f8-00bc12cde776

Timeline

Publicly Published

2025-10-10 (about 8 months ago)

Added

2025-10-10 (about 8 months ago)

Last Updated

2025-10-11 (about 8 months ago)

Other

Published

Title

Published

2025-12-12

Title

Directory Pro <= 2.5.6 - Missing Authorization

Published

2023-12-21

Title

Paid Memberships Pro < 2.12.6 - Missing Authorization via API

Published

2025-09-16

Title

Wide Banner <= 1.0.4 - Missing Authorization

Published

2025-03-31

Title

Safe Ai Malware Protection for WP <= 1.0.20 - Missing Authorization

Published

2025-04-22

Title

Evergreen Content Poster < 1.4.6 - Missing Authorization