{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-1463", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2025-02-18T23:11:16.617Z", "datePublished": "2025-03-05T11:22:07.965Z", "dateUpdated": "2026-04-08T16:32:51.610Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T16:32:51.610Z"}, "affected": [{"vendor": "javmah", "product": "WPGSI: Spreadsheet Integration", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "3.8.2", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The Spreadsheet Integration plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 3.8.2. This is due to improper nonce validation within the class-wpgsi-show.php script. This makes it possible for unauthenticated attackers to publish arbitrary posts, including private, granted they can trick a site administrator into performing an action such as clicking on a link."}], "title": "Spreadsheet Integration <= 3.8.2 - Cross-Site Request Forgery to Arbitrary Post Publish", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/034ba83f-4ee3-40f1-a41a-8b3d0055a1ba?source=cve"}, {"url": "https://wordpress.org/plugins/wpgsi/#developers"}, {"url": "https://plugins.trac.wordpress.org/browser/wpgsi/trunk/admin/class-wpgsi-show.php"}, {"url": "https://plugins.trac.wordpress.org/changeset/3250077/#file352"}, {"url": "https://plugins.trac.wordpress.org/changeset/3250077/"}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-352 Cross-Site Request Forgery (CSRF)", "cweId": "CWE-352", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N", "baseScore": 4.3, "baseSeverity": "MEDIUM"}}], "credits": [{"lang": "en", "type": "finder", "value": "Krzysztof Zaj\u0105c"}], "timeline": [{"time": "2025-03-04T22:06:29.000Z", "lang": "en", "value": "Disclosed"}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-03-05T14:26:02.582650Z", "id": "CVE-2025-1463", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-03-05T14:26:53.806Z"}}]}}

{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2025-1463", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2025-02-18T23:11:16.617Z", "datePublished": "2025-03-05T11:22:07.965Z", "dateUpdated": "2025-03-05T14:26:53.806Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2025-03-05T11:22:07.965Z"}, "affected": [{"vendor": "javmah", "product": "Spreadsheet Integration \u2013 Automate Google Sheets With WordPress, WooCommerce & Most Popular Form Plugins. Also, Display Google sheet as a Table.", "versions": [{"version": "*", "status": "affected", "lessThanOrEqual": "3.8.2", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The Spreadsheet Integration plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 3.8.2. This is due to improper nonce validation within the class-wpgsi-show.php script. This makes it possible for unauthenticated attackers to publish arbitrary posts, including private, granted they can trick a site administrator into performing an action such as clicking on a link."}], "title": "Spreadsheet Integration <= 3.8.2 - Cross-Site Request Forgery to Arbitrary Post Publish", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/034ba83f-4ee3-40f1-a41a-8b3d0055a1ba?source=cve"}, {"url": "https://wordpress.org/plugins/wpgsi/#developers"}, {"url": "https://plugins.trac.wordpress.org/browser/wpgsi/trunk/admin/class-wpgsi-show.php"}, {"url": "https://plugins.trac.wordpress.org/changeset/3250077/#file352"}, {"url": "https://plugins.trac.wordpress.org/changeset/3250077/"}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-352 Cross-Site Request Forgery (CSRF)", "cweId": "CWE-352", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N", "baseScore": 4.3, "baseSeverity": "MEDIUM"}}], "credits": [{"lang": "en", "type": "finder", "value": "Krzysztof Zaj\u0105c"}], "timeline": [{"time": "2025-03-04T22:06:29.000+00:00", "lang": "en", "value": "Disclosed"}]}, "adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-1463", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2025-03-05T14:26:02.582650Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-03-05T14:26:08.152Z"}}]}}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "The Spreadsheet Integration plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 3.8.2. This is due to improper nonce validation within the class-wpgsi-show.php script. This makes it possible for unauthenticated attackers to publish arbitrary posts, including private, granted they can trick a site administrator into performing an action such as clicking on a link."}, {"lang": "es", "value": "El complemento Spreadsheet Integration para WordPress es vulnerable a Cross-Site Request Forgery en todas las versiones hasta la 3.8.2 incluida. Esto se debe a una validaci\u00f3n de nonce incorrecta dentro del script class-wpgsi-show.php. Esto permite que atacantes no autenticados publiquen publicaciones arbitrarias, incluidas las privadas, siempre que puedan enga\u00f1ar a un administrador del sitio para que realice una acci\u00f3n como hacer clic en un enlace."}], "id": "CVE-2025-1463", "lastModified": "2026-04-15T00:35:42.020", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 1.4, "source": "security@wordfence.com", "type": "Secondary"}]}, "published": "2025-03-05T12:15:35.270", "references": [{"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/wpgsi/trunk/admin/class-wpgsi-show.php"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/changeset/3250077/"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/changeset/3250077/#file352"}, {"source": "security@wordfence.com", "url": "https://wordpress.org/plugins/wpgsi/#developers"}, {"source": "security@wordfence.com", "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/034ba83f-4ee3-40f1-a41a-8b3d0055a1ba?source=cve"}], "sourceIdentifier": "security@wordfence.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-352"}], "source": "security@wordfence.com", "type": "Secondary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-22T17:52:45.877943+00:00", "value": {"mitigation_remediation": ["Upgrade Spreadsheet Integration to the latest version that addresses nonce validation (at least 3.8.3 or later).", "If an update is unavailable, consider disabling or removing the plugin until a patch is released. ", "Limit or monitor administrator authentication sessions by enforcing strong access controls and monitoring outbound requests for anomalous POST actions."], "summary": {"action": "Update Plugin", "impact": "Cross\u2011Site Request Forgery enabling arbitrary post publication"}, "threat_synthesis": {"affected_systems": "WordPress sites that have installed the Spreadsheet Integration plugin from the vendor javmah. Versions up to and including 3.8.2 are affected. Administrators operating these sites are thus at risk.", "description_and_impact": "The vulnerability stems from an improper nonce validation in the class-wpgsi-show.php file of the Spreadsheet Integration plugin for WordPress. This defect allows attackers to forge requests on behalf of an authenticated administrator, causing posts to be published without authorization. The impact includes the creation of public, private or otherwise hidden content controlled by the attacker. The weakness is classified as CWE\u2011352, a Cross\u2011Site Request Forgery flaw.", "risk_and_exploitability": "The CVSS score of 4.3 indicates moderate severity, while the EPSS score of less than 1% suggests a very low probability of exploitation at present. The flaw is not listed in CISA\u2019s KEV catalog. Exploitability relies on social engineering: a malicious link or script must trick an site administrator into clicking in order to trigger the forged request. No additional privileges or remote code execution are required beyond the administrator\u2019s authenticated session."}}}}, "created": "2026-04-22T18:00:05.479321+00:00", "updated": "2026-04-22T18:00:05.479331+00:00", "vendors": []}