Attack Vectors

WPGSI: Spreadsheet Integration (slug: wpgsi) versions 3.8.3 and earlier are affected by a High severity vulnerability (CVSS 7.5) that enables unauthenticated attackers to create and delete WordPress posts by abusing exposed REST API endpoints.

The vulnerable endpoints are the plugin’s REST API functions wpgsi_callBackFuncAccept and wpgsi_callBackFuncUpdate, which are configured with permission_callback => '__return_true'. In practice, this means the endpoints can be invoked without requiring a logged-in user session.

The plugin attempts to “authenticate” requests using a custom token that is simply a Base64-encoded JSON object containing a user ID and email address. Because the token is not cryptographically signed, an attacker can potentially forge it and impersonate a user identity in requests to these endpoints.

Security Weakness

This issue (CVE: CVE-2026-1916) combines two high-risk weaknesses: missing authorization checks (capability validation is not enforced) and an insecure authentication mechanism (a Base64 token that can be forged because it is not signed).

From a governance perspective, this is a classic “trust without verification” failure: the system accepts requests as authorized without validating that the requester is authenticated and permitted to perform actions that modify content.

Technical or Business Impacts

The most immediate impact is unauthorized content manipulation: attackers may be able to create posts (including spam, malicious links, or brand-damaging content) and delete posts (causing data loss and operational disruption). Even if your backups exist, recovery time and downstream impacts can be significant.

For marketing, this can translate to reputation damage, SEO harm, broken campaigns, and loss of trust if visitors encounter unexpected or malicious content. For executives and compliance teams, unauthorized changes to public-facing content can trigger incident response costs, potential audit findings, and increased scrutiny over access controls and change management.

Remediation: Update WPGSI: Spreadsheet Integration to version 3.8.4 or a newer patched release. Confirm the plugin is updated across all environments (production, staging, and any regional sites) and review recent post activity for unexplained creations or deletions around the time the vulnerable version was deployed.

Similar attacks (real-world examples): Content-management platforms and plugins are frequently targeted for unauthorized content changes, including (1) the WordPress REST API content injection flaw (2017) that enabled defacement/content manipulation: WordPress 4.7.2 Security Release; (2) the WP GDPR Compliance plugin vulnerability (2018) that allowed unauthorized changes and user creation: Sucuri analysis; and (3) the SoakSoak campaign (2014) that infected WordPress sites via compromised components and led to widespread site manipulation: Sucuri write-up.