Attack Vectors

WooCommerce Google Sheet Connector (GSheetConnector for WC, slug: wc-gsheetconnector) versions prior to 1.3.6 are affected by a Medium-severity Cross-Site Request Forgery (CSRF) issue tracked as CVE-2023-2329 (CVSS 4.3; CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N).

In practical terms, an attacker does not need an account on your site, but they do need to trick a logged-in WordPress administrator into taking an action (such as clicking a link in an email, chat message, or viewing a web page). That “one click” can silently submit a forged request to your WordPress site.

Because this vulnerability targets how the plugin updates its access code, the most realistic entry point is social engineering aimed at an administrator or operations user who manages WooCommerce integrations and reporting.

Security Weakness

This issue is caused by missing or incorrect nonce validation when updating the plugin’s access code. In WordPress, nonces are a primary safeguard that helps ensure a sensitive settings change is intentionally initiated by an authorized admin within the admin session.

Without reliable nonce validation on the relevant settings action, a forged request can be accepted as if the administrator submitted it themselves—creating an integrity risk for your WooCommerce-to-Google-Sheets connection configuration.

Source: Wordfence vulnerability advisory.

Technical or Business Impacts

The stated impact is the ability for an unauthenticated attacker to update the access code via a forged request if an administrator is tricked into interacting with attacker-controlled content. While the CVSS rating indicates no direct confidentiality impact (C:N), it does indicate a loss of integrity (I:L), which matters for revenue reporting and operational workflows.

For marketing, finance, and operations teams, the business risks may include:

Data integrity and reporting risk: if an access code is changed unexpectedly, your order or customer-related spreadsheet workflows could be disrupted or pointed to the wrong place, leading to incorrect dashboards, attribution errors, and decision-making based on incomplete or inaccurate data.

Operational disruption: integrations failing or behaving inconsistently can create manual rework for teams (reconciliation, re-exporting data, investigating “missing” orders in spreadsheets), increasing time-to-close for monthly reporting.

Compliance and audit concerns: unauthorized configuration changes to systems that process commerce data can trigger internal audit questions and complicate evidence gathering during compliance reviews, even if no breach is confirmed.

Remediation: Update WooCommerce Google Sheet Connector / GSheetConnector for WC to version 1.3.6 or newer (patched). Prioritize this update if administrators who manage WooCommerce integrations are likely targets of phishing or if spreadsheet-based reporting is business-critical.

Similar Attacks

Drive-by pharming (router CSRF): A well-known class of CSRF attacks has targeted home/SMB routers by tricking users into visiting a page that silently changes DNS or admin settings—demonstrating how “one click” can lead to unauthorized configuration changes without the victim realizing it. See: https://en.wikipedia.org/wiki/Drive-by_pharming.