{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-67979", "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3", "state": "PUBLISHED", "assignerShortName": "Patchstack", "dateReserved": "2025-12-15T10:00:33.669Z", "datePublished": "2026-02-20T15:46:30.861Z", "dateUpdated": "2026-04-28T19:31:01.604Z"}, "containers": {"cna": {"affected": [{"collectionURL": "https://wordpress.org/plugins", "defaultStatus": "unaffected", "packageName": "gsheetconnector-wpforms", "product": "WPForms Google Sheet Connector", "vendor": "WesternDeal", "versions": [{"changes": [{"at": "4.0.2", "status": "unaffected"}], "lessThanOrEqual": "4.0.1", "status": "affected", "version": "0", "versionType": "custom"}]}], "credits": [{"lang": "en", "type": "finder", "value": "Denver Jackson | Patchstack Bug Bounty Program"}], "datePublic": "2026-04-01T16:02:11.466Z", "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "Improper Control of Generation of Code ('Code Injection') vulnerability in WesternDeal WPForms Google Sheet Connector gsheetconnector-wpforms allows Code Injection.<p>This issue affects WPForms Google Sheet Connector: from n/a through <= 4.0.1.</p>"}], "value": "Improper Control of Generation of Code ('Code Injection') vulnerability in WesternDeal WPForms Google Sheet Connector gsheetconnector-wpforms allows Code Injection.This issue affects WPForms Google Sheet Connector: from n/a through <= 4.0.1."}], "impacts": [{"capecId": "CAPEC-242", "descriptions": [{"lang": "en", "value": "Code Injection"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.9, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-94", "description": "Improper Control of Generation of Code ('Code Injection')", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "21595511-bba5-4825-b968-b78d1f9984a3", "shortName": "Patchstack", "dateUpdated": "2026-04-28T16:14:25.025Z"}, "references": [{"tags": ["vdb-entry"], "url": "https://patchstack.com/database/Wordpress/Plugin/gsheetconnector-wpforms/vulnerability/wordpress-wpforms-google-sheet-connector-plugin-4-0-1-remote-code-execution-rce-vulnerability?_s_id=cve"}], "title": "WordPress WPForms Google Sheet Connector plugin <= 4.0.1 - Remote Code Execution (RCE) vulnerability"}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-02-27T16:59:55.912812Z", "id": "CVE-2025-67979", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-28T19:31:01.604Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-67979", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-02-27T16:59:55.912812Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-27T16:58:39.532Z"}}], "cna": {"title": "WordPress WPForms Google Sheet Connector plugin <= 4.0.1 - Remote Code Execution (RCE) vulnerability", "credits": [{"lang": "en", "type": "finder", "value": "Denver Jackson | Patchstack Bug Bounty Program"}], "impacts": [{"capecId": "CAPEC-242", "descriptions": [{"lang": "en", "value": "Code Injection"}]}], "metrics": [{"format": "CVSS", "cvssV3_1": {"scope": "CHANGED", "version": "3.1", "baseScore": 9.9, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"vendor": "WesternDeal", "product": "WPForms Google Sheet Connector", "versions": [{"status": "affected", "changes": [{"at": "4.0.2", "status": "unaffected"}], "version": "0", "versionType": "custom", "lessThanOrEqual": "4.0.1"}], "packageName": "gsheetconnector-wpforms", "collectionURL": "https://wordpress.org/plugins", "defaultStatus": "unaffected"}], "datePublic": "2026-04-01T16:02:11.466Z", "references": [{"url": "https://patchstack.com/database/Wordpress/Plugin/gsheetconnector-wpforms/vulnerability/wordpress-wpforms-google-sheet-connector-plugin-4-0-1-remote-code-execution-rce-vulnerability?_s_id=cve", "tags": ["vdb-entry"]}], "descriptions": [{"lang": "en", "value": "Improper Control of Generation of Code ('Code Injection') vulnerability in WesternDeal WPForms Google Sheet Connector gsheetconnector-wpforms allows Code Injection.This issue affects WPForms Google Sheet Connector: from n/a through <= 4.0.1.", "supportingMedia": [{"type": "text/html", "value": "Improper Control of Generation of Code ('Code Injection') vulnerability in WesternDeal WPForms Google Sheet Connector gsheetconnector-wpforms allows Code Injection.<p>This issue affects WPForms Google Sheet Connector: from n/a through <= 4.0.1.</p>", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-94", "description": "Improper Control of Generation of Code ('Code Injection')"}]}], "providerMetadata": {"orgId": "21595511-bba5-4825-b968-b78d1f9984a3", "shortName": "Patchstack", "dateUpdated": "2026-04-28T16:14:25.025Z"}}}, "cveMetadata": {"cveId": "CVE-2025-67979", "state": "PUBLISHED", "dateUpdated": "2026-04-28T19:31:01.604Z", "dateReserved": "2025-12-15T10:00:33.669Z", "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3", "datePublished": "2026-02-20T15:46:30.861Z", "assignerShortName": "Patchstack"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Improper Control of Generation of Code ('Code Injection') vulnerability in WesternDeal WPForms Google Sheet Connector gsheetconnector-wpforms allows Code Injection.This issue affects WPForms Google Sheet Connector: from n/a through <= 4.0.1."}, {"lang": "es", "value": "Control inadecuado de la generaci\u00f3n de c\u00f3digo ('Inyecci\u00f3n de c\u00f3digo') vulnerabilidad en WesternDeal WPForms Google Sheet Connector gsheetconnector-wpforms permite la inyecci\u00f3n de c\u00f3digo. Este problema afecta a WPForms Google Sheet Connector: desde n/a hasta &lt;= 4.0.1."}], "id": "CVE-2025-67979", "lastModified": "2026-04-15T00:35:42.020", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.9, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 3.1, "impactScore": 6.0, "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}, "published": "2026-02-20T16:22:04.190", "references": [{"source": "audit@patchstack.com", "url": "https://patchstack.com/database/Wordpress/Plugin/gsheetconnector-wpforms/vulnerability/wordpress-wpforms-google-sheet-connector-plugin-4-0-1-remote-code-execution-rce-vulnerability?_s_id=cve"}], "sourceIdentifier": "audit@patchstack.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-94"}], "source": "audit@patchstack.com", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,4.0.1]"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "semver", "value": "4.0.2"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "WPForms Google Sheet Connector", "source": "cna", "vendor": "WesternDeal"}, "product": "wpforms_google_sheet_connector", "vendor": "westerndeal"}, {"configurations": [{"platform": null, "status": "unaffected", "versions": null}], "enrichment": {"confidence": 80.0, "confidence_source": "inferred", "scores": [{"score": 80.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "product": "wordpress", "vendor": "wordpress"}], "analysis": {"en": {"generated_at": "2026-04-28T09:39:07.082010+00:00", "value": {"mitigation_remediation": ["Upgrade the WPForms Google Sheet Connector plugin to the latest version that resolves the injection issue.", "If an upgrade is not feasible, consider disabling or removing the plugin entirely until a safe version is available.", "Implement web\u2011application\u2011firewall rules to block suspicious input patterns targeting the plugin\u2019s API endpoints."], "summary": {"action": "Immediate Patch", "impact": "Remote Code Execution"}, "threat_synthesis": {"affected_systems": "All installations using WesternDeal WPForms Google Sheet Connector plugin version 4.0.1 or earlier are affected. The issue spans from the earliest releases up to and including version 4.0.1.", "description_and_impact": "The WPForms Google Sheet Connector plugin by WesternDeal has a critical Code Injection flaw (CWE\u201194) that allows an attacker to inject and execute arbitrary code within the WordPress environment. An attacker could trigger this by supplying crafted input that the plugin processes, leading to full control over the server or application. The vulnerability can compromise confidentiality, integrity, and availability, granting attackers the ability to install malware, exfiltrate data, or disrupt services.", "risk_and_exploitability": "The flaw has a CVSS score of 9.9, indicating critical severity. The EPSS score is below 1\u202f%, suggesting that, while the vulnerability is severe, the likelihood of exploitation is currently very low. The problem is not listed in the CISA KEV catalog. Likely exploitation would require that the plugin is active in a public or unprotected WordPress site and that attacker\u2011controlled input reaches the vulnerable code path. No public exploit is currently documented."}}}}, "created": "2026-02-23T14:46:17.993021+00:00", "updated": "2026-04-28T09:45:28.453848+00:00", "vendors": ["westerndeal", "westerndeal$PRODUCT$wpforms_google_sheet_connector", "wordpress", "wordpress$PRODUCT$wordpress"]}