CVE-2025-67979
Code Injection in WPForms Google Sheet Connector
Publication date: 2026-02-20
Last updated on: 2026-02-27
Assigner: Patchstack
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| patchstack | gsheetconnector-wpforms | From 4.0.1|end_including=4.0.1 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-94 | The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2025-67979 is a high-severity Remote Code Execution (RCE) vulnerability in the WordPress WPForms Google Sheet Connector Plugin versions up to and including 4.0.1.
This vulnerability is a type of code injection that allows a malicious actor to execute arbitrary commands on the target website.
It falls under the OWASP Top 10 category A3: Injection.
Exploitation requires only subscriber or developer privileges, making it particularly dangerous.
How can this vulnerability impact me? :
This vulnerability can allow an attacker to gain backdoor access and full control over the affected WordPress site.
With arbitrary command execution, the attacker can manipulate site data, deface the website, steal sensitive information, or use the site as a platform for further attacks.
Because the vulnerability requires only subscriber or developer privileges to exploit, it increases the risk of compromise from lower-level users.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability allows remote code execution via the WPForms Google Sheet Connector Plugin up to version 4.0.1. Detection involves monitoring for unusual or unauthorized execution of commands on the WordPress site, especially those originating from subscriber or developer privilege accounts.
While specific commands are not provided, general detection methods include checking for suspicious HTTP requests targeting the plugin endpoints, reviewing web server logs for unusual POST requests, and scanning for signs of code injection attempts.
- Use web server log analysis tools to identify suspicious requests to the WPForms Google Sheet Connector plugin.
- Run WordPress security plugins or scanners that can detect known vulnerable plugin versions.
- Check the installed plugin version with the command: wp plugin list | grep gsheetconnector-wpforms
- Monitor for unexpected command execution or new files created in the WordPress installation directory.
What immediate steps should I take to mitigate this vulnerability?
The most immediate and effective mitigation step is to update the WPForms Google Sheet Connector Plugin to version 4.0.2 or later, where this vulnerability is patched.
Until the update can be applied, it is recommended to implement the automatic mitigation rule provided by Patchstack, which blocks attacks targeting this vulnerability.
Additionally, consider enabling auto-updates for vulnerable plugins to ensure timely protection against similar issues in the future.
Restrict subscriber and developer privileges where possible to reduce the risk of exploitation.