プラットフォーム
wordpress
コンポーネント
gsheetconnector-gravity-forms
修正版
1.3.24
A Cross-Site Request Forgery (CSRF) vulnerability exists in the GSheetConnector for Gravity Forms plugin for WordPress, affecting versions from 1.0.0 through 1.3.23. This flaw allows attackers to trick authenticated administrators into performing actions, such as activating or deactivating plugins, without their knowledge. The vulnerability stems from insufficient nonce validation within the plugin's core functions. A patch, version 1.3.24, has been released to address this issue.
The primary impact of this CSRF vulnerability is the potential for unauthorized plugin management. An attacker could craft a malicious link or embed a hidden form on a compromised page, enticing an administrator to click or visit it. Upon interaction, the attacker can trigger actions like activating or deactivating plugins, potentially disrupting website functionality or introducing malicious code. While the CVSS score is low, successful exploitation could lead to significant operational disruptions and potential security compromises if malicious plugins are activated. The attack surface is limited to administrators with access to plugin management features.
This vulnerability was publicly disclosed on 2025-10-11. No public proof-of-concept (PoC) code has been identified at the time of writing. It is not currently listed on the CISA KEV catalog. The low CVSS score suggests a relatively low probability of exploitation, but the ease of CSRF attacks means vigilance is still required.
WordPress websites utilizing the GSheetConnector for Gravity Forms plugin, particularly those with administrators who frequently manage plugins or visit external links. Shared hosting environments where plugin updates are managed centrally are also at increased risk, as a compromised account on one site could potentially affect others.
• wordpress / composer / npm:
grep -r 'activate_plugin|deactivate_plugin' /var/www/html/wp-content/plugins/gsheetconnector-for-gravity-forms/• wordpress / composer / npm:
wp plugin list --status=active | grep gsheetconnector• wordpress / composer / npm:
wp plugin update gsheetconnector-for-gravity-formsdisclosure
エクスプロイト状況
EPSS
0.01% (3% パーセンタイル)
CISA SSVC
CVSS ベクトル
The recommended mitigation is to immediately upgrade the GSheetConnector for Gravity Forms plugin to version 1.3.24 or later. If upgrading is not immediately feasible due to compatibility concerns or breaking changes, consider implementing a Web Application Firewall (WAF) rule to filter out suspicious requests targeting the activateplugin and deactivateplugin endpoints. Specifically, look for requests lacking proper nonce validation. Additionally, educate administrators about the risks of clicking on untrusted links or visiting unfamiliar websites, as this is a common CSRF attack vector. After upgrading, confirm the fix by attempting to trigger plugin activation/deactivation via a crafted CSRF request; it should be rejected.
Actualice el plugin GSheetConnector for Gravity Forms a la versión 1.3.24 o superior para mitigar la vulnerabilidad de Cross-Site Request Forgery. Esta actualización corrige la falta de validación de nonce en las funciones de activación y desactivación de plugins, previniendo que atacantes puedan manipular estas acciones.
脆弱性分析と重要アラートをメールでお届けします。
CVE-2025-8606 is a Cross-Site Request Forgery (CSRF) vulnerability affecting GSheetConnector for Gravity Forms versions 1.0.0–1.3.23, allowing attackers to perform actions as an administrator.
You are affected if you are using GSheetConnector for Gravity Forms version 1.0.0 through 1.3.23. Upgrade to 1.3.24 or later to mitigate the risk.
Upgrade the GSheetConnector for Gravity Forms plugin to version 1.3.24 or later. Consider WAF rules as a temporary workaround if immediate upgrade is not possible.
There is no confirmed active exploitation of CVE-2025-8606 at this time, but the ease of CSRF attacks warrants caution.
Refer to the official GSheetConnector for Gravity Forms plugin documentation or their website for the latest advisory and update information.
依存関係ファイルをアップロードすれば、このCVEや他のCVEがあなたに影響するか即座にわかります。