PatchSiren cyber security CVE debrief
CVE-2026-4843 mrdollar4444 CVE debrief
CVE-2026-4843 affects the GSheet For Woo Importer WordPress plugin through version 2.3.1. A missing capability check in an admin AJAX restore action allows authenticated users with Subscriber-level access and above to delete the plugin’s Google Sheets API token and configuration options. The issue is an authorization failure with low integrity impact, but it can still disrupt sheet-based import workflows and force credential/configuration recovery.
- Vendor
- mrdollar4444
- Product
- GSheet For Woo Importer
- CVSS
- MEDIUM 4.3
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-05-21
- Original CVE updated
- 2026-05-21
- Advisory published
- 2026-05-21
- Advisory updated
- 2026-05-21
Who should care
WordPress site owners and administrators running GSheet For Woo Importer, especially sites that allow Subscriber-level accounts or other low-privilege authenticated users. Teams relying on the plugin’s Google Sheets API token and configuration should treat this as a configuration-loss risk.
Technical summary
Wordfence attributes the issue to process_ajax_restore_action() in the plugin source and cites a missing capability check. Because the action is reachable by authenticated users, an attacker with PR:L access can delete the plugin’s Google Sheets API token and configuration options. The NVD vector is CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N, aligning with a broken-access-control weakness (CWE-862) and limited integrity impact.
Defensive priority
Medium. Patch promptly on any site that uses the plugin, and raise priority if the plugin protects production automation or sensitive Google Sheets credentials. The CVSS score is 4.3, but the practical impact can include loss of configuration and interruption of imports.
Recommended defensive actions
- Update GSheet For Woo Importer to a fixed version as soon as one is available; the issue affects all versions up to and including 2.3.1.
- Review the plugin’s Google Sheets API token and configuration after any unexpected resets or administrative changes.
- Limit low-privilege authenticated access where possible, and monitor for suspicious restore or settings-change activity.
- Check backups and site logs for unauthorized deletion of the plugin’s token or configuration options.
- If you cannot remediate quickly, consider disabling the plugin until a corrected release is deployed.
Evidence notes
The NVD record for CVE-2026-4843 was published on 2026-05-21 and modified the same day. Its metadata lists CVSS 4.3 (AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N), CWE-862, and vulnStatus Deferred. Wordfence’s advisory links the flaw to AdminSettingsAction.php line 391 in the WordPress plugin repository and states that authenticated Subscriber-level users can delete the plugin’s Google Sheets API token and configuration options.
Official resources
The source record was published at 2026-05-21T20:16:14.723Z and modified at 2026-05-21T21:03:56.320Z. The NVD metadata currently shows vulnStatus Deferred.