Cyber Resilience

CVE-2026-1916

High

Published: 25 February 2026

Published
25 February 2026
Modified
15 April 2026
KEV Added
Patch
CVSS Score v3.1 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
EPSS Score 0.0018 38.8th percentile
Risk Priority 15 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-1916 is a high-severity Missing Authorization (CWE-862) vulnerability in Wordpress (inferred from references). Its CVSS base score is 7.5 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 38.8th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and IA-5 (Authenticator Management).

Deeper analysis

CVE-2026-1916 is a vulnerability in the WPGSI: Spreadsheet Integration plugin for WordPress, affecting all versions up to and including 3.8.3. It enables unauthorized modification and loss of data due to missing capability checks and an insecure authentication mechanism in the REST API functions `wpgsi_callBackFuncAccept` and `wpgsi_callBackFuncUpdate`. These endpoints are configured with `permission_callback => '__return_true'`, granting unauthenticated access. The plugin's custom token-based validation uses a Base64-encoded JSON object containing the user ID and email address, but it is not cryptographically signed.

Unauthenticated attackers can exploit this vulnerability by forging tokens with publicly enumerable information, such as an admin user ID and email address. Exploitation requires knowledge of the administrator's email address and an active integration ID with remote updates enabled, allowing attackers to create, modify, and delete arbitrary WordPress posts and pages. The issue carries a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N) and is linked to CWE-862 (Missing Authorization).

References point to specific lines in the plugin's source code, including `admin/class-wpgsi-update.php` at lines 116, 636, and 94 in tags/3.8.3, as well as similar locations in the trunk version. No explicit mitigation or patch details are provided in the available references.

EU & UK References

Vulnerability details

The WPGSI: Spreadsheet Integration plugin for WordPress is vulnerable to unauthorized modification and loss of data due to missing capability checks and an insecure authentication mechanism on the `wpgsi_callBackFuncAccept` and `wpgsi_callBackFuncUpdate` REST API functions in all versions up to, and…

more

including, 3.8.3. Both REST endpoints use `permission_callback => '__return_true'`, allowing unauthenticated access. The plugin's custom token-based validation relies on a Base64-encoded JSON object containing the user ID and email address, but is not cryptographically signed. This makes it possible for unauthenticated attackers to forge tokens using publicly enumerable information (admin user ID and email) to create, modify, and delete arbitrary WordPress posts and pages, granted they know the administrator's email address and an active integration ID with remote updates enabled.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Why these techniques?

Missing authorization on public REST endpoints allows direct exploitation of the Internet-facing WordPress plugin to modify/delete content.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2026-45209Shared CWE-862
CVE-2026-25026Shared CWE-862
CVE-2026-42083Shared CWE-862
CVE-2026-0656Shared CWE-862
CVE-2026-24532Shared CWE-862
CVE-2025-13603Shared CWE-862
CVE-2025-69063Shared CWE-862
CVE-2026-3045Shared CWE-862
CVE-2025-67956Shared CWE-862
CVE-2025-41765Shared CWE-862

Affected Assets

Wordpress
inferred from references and description; NVD did not file a CPE for this CVE

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Enforces approved authorizations for access to the vulnerable REST API endpoints, directly countering missing capability checks and unauthenticated access.

prevent

Requires cryptographically strong authenticators resistant to forgery, addressing the unsigned Base64-encoded token validation flaw.

prevent

Validates inputs such as forged tokens to the callback functions, preventing unauthorized post and page modifications.

References