Atomic Edge analysis of CVE-2025-67979:
This vulnerability is an authenticated remote code execution flaw in the GSheetConnector For WPForms plugin versions <= 4.0.1. The vulnerability allows attackers with Subscriber-level WordPress access to execute arbitrary code on the server via a missing capability check in the plugin installation/update AJAX handler. The CVSS score of 8.8 reflects the high impact of remote code execution with low privilege requirements.

Atomic Edge research identifies the root cause in the gscwpform_install_plugin() function within gsheetconnector-wpforms/includes/class-wpforms-integration.php. The vulnerable function processes AJAX requests for plugin installation and updates. The original code (lines 79-142) performs a nonce check via check_ajax_referer() but completely lacks any capability verification. This allows any authenticated user, regardless of role, to trigger the plugin installation/update functionality. The function accepts two parameters: plugin_slug and download_url, which are sanitized but not validated for source restrictions.

The exploitation method targets the WordPress AJAX endpoint at /wp-admin/admin-ajax.php with the action parameter set to gscwpform_install_plugin. Attackers must provide a valid nonce (gscwpform_ajax_nonce) obtainable through normal plugin functionality. The payload includes a malicious download_url parameter pointing to a remote ZIP archive containing arbitrary PHP code. When processed, the vulnerable function uses WordPress's Plugin_Upgrader class to download and install the malicious plugin, achieving remote code execution. Subscriber-level attackers can obtain the required nonce through legitimate plugin interactions or by exploiting other information disclosure issues.

The patch in version 4.0.2 addresses the vulnerability through multiple security enhancements. The primary fix adds a capability check at line 154: if (!current_user_can('install_plugins')). This restricts the function to users with the install_plugins capability, typically only administrators. The patch also implements domain validation (lines 170-181) that restricts download_url sources to the current domain and downloads.wordpress.org. Additionally, the patch adds proper menu access control in gsheetconnector-wpforms.php lines 341-345, restricting the Google Sheet configuration menu to users with manage_options or activate_plugins capabilities.

Successful exploitation results in complete remote code execution on the target WordPress server. Attackers can install malicious plugins containing arbitrary PHP code, leading to full server compromise. This enables data theft, website defacement, backdoor installation, and lateral movement within the hosting environment. The vulnerability affects all WordPress sites using the vulnerable plugin version, regardless of their specific configuration.