Platform
wordpress
Component
gsheetconnector-gravity-forms
Fixed in
1.3.24
A Cross-Site Request Forgery (CSRF) vulnerability exists in the GSheetConnector for Gravity Forms plugin for WordPress, affecting versions from 1.0.0 through 1.3.23. This flaw allows attackers to trick authenticated administrators into performing actions, such as activating or deactivating plugins, without their knowledge. The vulnerability stems from insufficient nonce validation within the plugin's core functions. A patch, version 1.3.24, has been released to address this issue.
The primary impact of this CSRF vulnerability is the potential for unauthorized plugin management. An attacker could craft a malicious link or embed a hidden form on a compromised page, enticing an administrator to click or visit it. Upon interaction, the attacker can trigger actions like activating or deactivating plugins, potentially disrupting website functionality or introducing malicious code. While the CVSS score is low, successful exploitation could lead to significant operational disruptions and potential security compromises if malicious plugins are activated. The attack surface is limited to administrators with access to plugin management features.
This vulnerability was publicly disclosed on 2025-10-11. No public proof-of-concept (PoC) code has been identified at the time of writing. It is not currently listed on the CISA KEV catalog. The low CVSS score suggests a relatively low probability of exploitation, but the ease of CSRF attacks means vigilance is still required.
Exploit Status
EPSS
0.01% (3% percentile)
CISA SSVC
CVSS Vector
The recommended mitigation is to immediately upgrade the GSheetConnector for Gravity Forms plugin to version 1.3.24 or later. If upgrading is not immediately feasible due to compatibility concerns or breaking changes, consider implementing a Web Application Firewall (WAF) rule to filter out suspicious requests targeting the activateplugin and deactivateplugin endpoints. Specifically, look for requests lacking proper nonce validation. Additionally, educate administrators about the risks of clicking on untrusted links or visiting unfamiliar websites, as this is a common CSRF attack vector. After upgrading, confirm the fix by attempting to trigger plugin activation/deactivation via a crafted CSRF request; it should be rejected.
Update the GSheetConnector for Gravity Forms plugin to version 1.3.24 or higher to mitigate the Cross-Site Request Forgery (CSRF) vulnerability. This update corrects the lack of nonce validation in the plugin activation and deactivation functions, preventing attackers from manipulating these actions.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2025-8606 is a Cross-Site Request Forgery (CSRF) vulnerability affecting GSheetConnector for Gravity Forms versions 1.0.0–1.3.23, allowing attackers to perform actions as an administrator.
You are affected if you are using GSheetConnector for Gravity Forms version 1.0.0 through 1.3.23. Upgrade to 1.3.24 or later to mitigate the risk.
Upgrade the GSheetConnector for Gravity Forms plugin to version 1.3.24 or later. Consider WAF rules as a temporary workaround if immediate upgrade is not possible.
There is no confirmed active exploitation of CVE-2025-8606 at this time, but the ease of CSRF attacks warrants caution.
Refer to the official GSheetConnector for Gravity Forms plugin documentation or their website for the latest advisory and update information.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.