CVE-2026-1916
Published: 25 February 2026
Summary
CVE-2026-1916 is a high-severity Missing Authorization (CWE-862) vulnerability in Wordpress (inferred from references). Its CVSS base score is 7.5 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 38.8th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and IA-5 (Authenticator Management).
Deeper analysis
CVE-2026-1916 is a vulnerability in the WPGSI: Spreadsheet Integration plugin for WordPress, affecting all versions up to and including 3.8.3. It enables unauthorized modification and loss of data due to missing capability checks and an insecure authentication mechanism in the REST API functions `wpgsi_callBackFuncAccept` and `wpgsi_callBackFuncUpdate`. These endpoints are configured with `permission_callback => '__return_true'`, granting unauthenticated access. The plugin's custom token-based validation uses a Base64-encoded JSON object containing the user ID and email address, but it is not cryptographically signed.
Unauthenticated attackers can exploit this vulnerability by forging tokens with publicly enumerable information, such as an admin user ID and email address. Exploitation requires knowledge of the administrator's email address and an active integration ID with remote updates enabled, allowing attackers to create, modify, and delete arbitrary WordPress posts and pages. The issue carries a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N) and is linked to CWE-862 (Missing Authorization).
References point to specific lines in the plugin's source code, including `admin/class-wpgsi-update.php` at lines 116, 636, and 94 in tags/3.8.3, as well as similar locations in the trunk version. No explicit mitigation or patch details are provided in the available references.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-8630
Vulnerability details
The WPGSI: Spreadsheet Integration plugin for WordPress is vulnerable to unauthorized modification and loss of data due to missing capability checks and an insecure authentication mechanism on the `wpgsi_callBackFuncAccept` and `wpgsi_callBackFuncUpdate` REST API functions in all versions up to, and…
more
including, 3.8.3. Both REST endpoints use `permission_callback => '__return_true'`, allowing unauthenticated access. The plugin's custom token-based validation relies on a Base64-encoded JSON object containing the user ID and email address, but is not cryptographically signed. This makes it possible for unauthenticated attackers to forge tokens using publicly enumerable information (admin user ID and email) to create, modify, and delete arbitrary WordPress posts and pages, granted they know the administrator's email address and an active integration ID with remote updates enabled.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Missing authorization on public REST endpoints allows direct exploitation of the Internet-facing WordPress plugin to modify/delete content.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Enforces approved authorizations for access to the vulnerable REST API endpoints, directly countering missing capability checks and unauthenticated access.
Requires cryptographically strong authenticators resistant to forgery, addressing the unsigned Base64-encoded token validation flaw.
Validates inputs such as forged tokens to the callback functions, preventing unauthorized post and page modifications.