CVE-2026-4843

MEDIUM 4.3

GSheet For Woo Importer <= 2.3.1 - Missing Authorization to Authenticated (Subscriber+) Plugin Settings Reset

CVSS Score

4.3

EPSS Score

0.0%

EPSS Percentile

1th

The GSheet For Woo Importer plugin for WordPress is vulnerable to unauthorized loss of data due to a missing capability check on the process_ajax_restore_action() function in all versions up to, and including, 2.3.1. This makes it possible for authenticated attackers, with Subscriber-level access and above, to delete the plugin's Google Sheets API token and configuration options.

CWE	CWE-862
Vendor	mrdollar4444
Product	gsheet for woo importer
Published	May 21, 2026
Last Updated	May 22, 2026

Stay Ahead of the Next One

Get instant alerts for mrdollar4444 gsheet for woo importer

Be the first to know when new medium vulnerabilities affecting mrdollar4444 gsheet for woo importer are published — delivered to Slack, Telegram or Discord.

Get Free Alerts → Free · No credit card · 60 sec setup

CVSS v3 Breakdown

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N

Attack Vector

Attack Complexity

Privileges Required

User Interaction

Scope

Confidentiality

Integrity

Availability

Affected Versions

mrdollar4444 / GSheet For Woo Importer

0 ≤ 2.3.1

References

NVD ↗ CVE.org ↗ EPSS Data ↗

wordfence.com: https://www.wordfence.com/threat-intel/vulnerabilities/id/b0d60991-0675-4efa-9427-380e6b59fe28?source=cve plugins.trac.wordpress.org: https://plugins.trac.wordpress.org/browser/import-products-from-gsheet-for-woo-importer/tags/2.3.1/src/Actions/AdminSettingsAction.php#L391

Credits

Abhirup Konwar