CVE-2026-1916 – The WPGSI: Spreadsheet Integration plugin for W... (How to Fix)

Q: What is the severity of CVE-2026-1916?

CVE-2026-1916 has a CVSS score of 7.5 (HIGH). The WPGSI: Spreadsheet Integration plugin for WordPress has critical REST API endpoints that lack proper authentication and authorization checks. Unauthenticated attackers can forge tokens using publicly available administrator information to create, modify, and delete WordPress posts and pages. All WordPress sites using this plugin up to version 3.8.3 are affected.

📋 TL;DR

The WPGSI: Spreadsheet Integration plugin for WordPress has critical REST API endpoints that lack proper authentication and authorization checks. Unauthenticated attackers can forge tokens using publicly available administrator information to create, modify, and delete WordPress posts and pages. All WordPress sites using this plugin up to version 3.8.3 are affected.

💻 Affected Systems

Products:

WPGSI: Spreadsheet Integration WordPress plugin

Versions: All versions up to and including 3.8.3

Operating Systems: All

Default Config Vulnerable: ⚠️ Yes

Notes: Requires the plugin to be installed and active. Remote updates must be enabled for the integration ID being targeted.

⚠️ Manual Verification Required

This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.

Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).

🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.

Recommended Actions:

Review the CVE details at NVD
Check vendor security advisories for your specific version
Test if the vulnerability is exploitable in your environment
Consider updating to the latest version as a precaution

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete website defacement, data destruction, or injection of malicious content leading to further compromise.

🟠

Likely Case

Unauthorized modification or deletion of posts/pages, potentially disrupting website functionality.

🟢

If Mitigated

No impact if proper authentication and authorization controls are implemented.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Exploitation requires knowledge of administrator email address and an active integration ID with remote updates enabled.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 3.8.4 or later

Vendor Advisory: https://wordpress.org/plugins/wpgsi/

Restart Required: No

Instructions:

1. Log into WordPress admin panel. 2. Navigate to Plugins > Installed Plugins. 3. Find 'WPGSI: Spreadsheet Integration'. 4. Click 'Update Now' if available. 5. Alternatively, download latest version from WordPress plugin repository and manually update.

🔧 Temporary Workarounds

Disable vulnerable REST endpoints

all

Remove or restrict access to the wpgsi_callBackFuncAccept and wpgsi_callBackFuncUpdate REST API endpoints.

Add to theme's functions.php or custom plugin: remove_action('rest_api_init', 'wpgsi_register_rest_routes');

Block plugin REST endpoints at web server

all

Configure web server to block requests to vulnerable endpoints.

For Apache: RewriteRule ^wp-json/wpgsi/.* - [F]
For Nginx: location ~* ^/wp-json/wpgsi/ { deny all; }

🧯 If You Can't Patch

Immediately disable the WPGSI plugin entirely.
Implement strict network access controls to block external access to WordPress REST API endpoints.

🔍 How to Verify

Check if Vulnerable:

Check WordPress admin panel > Plugins > Installed Plugins for WPGSI version 3.8.3 or earlier.

Check Version:

wp plugin list --name=wpgsi --field=version

Verify Fix Applied:

Confirm WPGSI plugin version is 3.8.4 or later in WordPress admin panel.

📡 Detection & Monitoring

Log Indicators:

Unusual POST requests to /wp-json/wpgsi/v1/ endpoints from unauthenticated IPs
Sudden modifications to posts/pages without corresponding user activity

Network Indicators:

HTTP requests to /wp-json/wpgsi/v1/callback or /wp-json/wpgsi/v1/update without authentication headers

SIEM Query:

source="wordpress" AND (url="/wp-json/wpgsi/v1/callback" OR url="/wp-json/wpgsi/v1/update") AND http_method="POST" AND user_agent!="WordPress/*"

📊 Metadata

CVE ID: CVE-2026-1916

CVSS v3 Score: 7.5 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

CWE: CWE-862

Published: February 25, 2026

Last Updated: February 25, 2026

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2026-1916, you might also want to check these: