CVE-2025-13136: 
WordPress 脆弱性の分析と軽減

The GSheetConnector For Ninja Forms plugin for WordPress contains a vulnerability (CVE-2025-13136) related to unauthorized access of data. The vulnerability was discovered in all versions up to and including 2.0.1, and was disclosed on November 22, 2025. The issue stems from a missing capability check on the 'njform-google-sheet-config' page, affecting WordPress installations with the GSheetConnector For Ninja Forms plugin installed (NVD).

The vulnerability is classified as a Missing Authorization issue (CWE-862) with a CVSS v3.1 Base Score of 4.3 (MEDIUM). The vulnerability vector string is CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N, indicating that it requires network access, low attack complexity, and low privileges to exploit. The vulnerability does not require user interaction and has a limited confidentiality impact with no impact on integrity or availability (Wordfence).

The vulnerability allows authenticated attackers with Subscriber-level access and above to retrieve sensitive information about the system through the 'njform-google-sheet-config' page. This unauthorized access to data could potentially expose system configuration details and other sensitive information (NVD).

The vulnerability has been patched in version 2.0.2 of the GSheetConnector For Ninja Forms plugin, released on November 19, 2025. Users are advised to update to this latest version to resolve the vulnerability (WordPress Plugin).