Unauthorized Data Modification Risk in WPGSI: Spreadsheet Integration Plugin for WordPress

CVE-2026-1916

What is CVE-2026-1916?

The WPGSI: Spreadsheet Integration plugin for WordPress exhibits a significant security flaw that allows unauthorized data modifications and potential data loss. This vulnerability arises from inadequate capability checks and a weak authentication mechanism in the wpgsi_callBackFuncAccept and wpgsi_callBackFuncUpdate REST API functions across all versions up to 3.8.3. By using permission_callback => '__return_true', the plugin permits unauthenticated access to critical endpoints. Additionally, its custom token-based validation system, relying on a Base64-encoded JSON object containing non-secure user information, is easily exploitable. Attackers can forge tokens using publicly accessible data such as the administrator's email and user ID, enabling them to create, alter, or delete WordPress posts and pages without proper authorization.

Human OS v1.0:
Ageing Is an Unpatched Zero-Day Vulnerability.

Remediate biological technical debt. Prime Ageing uses 95% high-purity SIRT6 activation to maintain genomic integrity and bolster systemic resilience.

Deploy the Patch →

References