The plugin does not have CSRF check when updating its Access Code, which could allow attackers to make logged in admin change the access code to an arbitrary one via a CSRF attack
Make a logged in admin open https://example.com/wp-admin/admin.php?page=wc-gsheetconnector-config&code;=attacker-code
CPE | Name | Operator | Version |
---|---|---|---|
wc-gsheetconnector | eq | * |