CVE-2025-22686: 
WordPress vulnerability analysis and mitigation

A Missing Authorization vulnerability was identified in the CF7 Google Sheets Connector WordPress plugin, tracked as CVE-2025-22686. The vulnerability affects versions through 5.0.17 and allows exploiting incorrectly configured access control security levels. The issue was discovered on January 21, 2025, and publicly disclosed on January 31, 2025 (Patchstack).

The vulnerability is classified as a Broken Access Control issue (CWE-862) with a CVSS v3.1 score of 5.3 (Medium). The vulnerability vector is CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N, indicating network accessibility, low attack complexity, and no required privileges or user interaction (NVD, Patchstack).

The vulnerability allows unprivileged users to execute certain higher privileged actions due to missing authorization, authentication, or nonce token checks. The impact is considered low severity, though specific impacts may vary case by case (Patchstack).

The vulnerability has been fixed in version 5.0.18 of the CF7 Google Sheets Connector plugin. Users are advised to update to version 5.0.18 or later to remove the vulnerability. Patchstack users can enable auto-update for vulnerable plugins (Patchstack).