Vulnerability Description
The GSheetConnector For Gravity Forms plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions less than, or equal to, 1.3.23. This is due to missing or incorrect nonce validation on the activate_plugin and deactivate_plugin functions. This makes it possible for attackers to trick authenticated administrators into activating or deactivating specified plugins via a forged request, such as clicking on a malicious link or visiting a compromised page.
CVSS Score
LOW
Related Weaknesses (CWE)
References
- https://plugins.trac.wordpress.org/browser/gsheetconnector-gravity-forms/tags/1.
- https://plugins.trac.wordpress.org/browser/gsheetconnector-gravity-forms/tags/1.
- https://plugins.trac.wordpress.org/changeset/3339653
- https://www.wordfence.com/threat-intel/vulnerabilities/id/d5c48de7-20f6-408e-b4f
FAQ
What is CVE-2025-8606?
CVE-2025-8606 is a vulnerability with a CVSS score of 2.4 (LOW). The GSheetConnector For Gravity Forms plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions less than, or equal to, 1.3.23. This is due to missing or incorrect nonce validation ...
How severe is CVE-2025-8606?
CVE-2025-8606 has been rated LOW with a CVSS base score of 2.4/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2025-8606?
Check the references section above for vendor advisories and patch information. Review vendor security bulletins for remediation guidance.