Severity by source
AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
Lifecycle Timeline
1DescriptionCVE.org
Missing Authorization vulnerability in WPPOOL FlexTable allows Exploiting Incorrectly Configured Access Control Security Levels.
This issue affects FlexTable: from n/a through 3.24.0.
AnalysisAI
FlexTable WordPress plugin (versions up to and including 3.24.0) by WPPOOL contains a missing authorization vulnerability enabling low-privileged authenticated users to perform restricted plugin actions beyond their intended access level, resulting in limited but unauthorized integrity modifications. The flaw stems from CWE-862 (Missing Authorization), where plugin endpoints fail to verify that an authenticated user holds the required WordPress capability before executing privileged operations. No public exploit code exists and this vulnerability is not in the CISA Known Exploited Vulnerabilities catalog; EPSS scoring at 0.03% (8th percentile) confirms negligible likelihood of broad exploitation at this time.
Technical ContextAI
The FlexTable plugin (WordPress slug: sheets-to-wp-table-live-sync, CPE: cpe:2.3:a:wppool:flextable:*:*:*:*:*:*:*:*) provides table management by syncing Google Sheets data into WordPress-rendered tables. CWE-862 (Missing Authorization) indicates the plugin registers AJAX hooks or REST API endpoints that validate authentication - confirming a user is logged in - but omit the subsequent capability check verifying whether that user's role is authorized to perform the requested action. This is a structurally distinct failure from authentication bypass: the user is correctly identified, but the authorization gate is absent. In WordPress plugin architecture this pattern commonly arises when developers call wp_verify_nonce() without a paired current_user_can() check, allowing any authenticated role - including subscriber - to invoke functionality reserved for editors or administrators.
RemediationAI
Update the FlexTable plugin to a version beyond 3.24.0 once a patched release is available from WPPOOL; verify the specific fixed version number directly via the WordPress plugin repository or the Patchstack advisory at https://patchstack.com/database/wordpress/plugin/sheets-to-wp-table-live-sync/vulnerability/wordpress-flextable-plugin-3-24-0-broken-access-control-vulnerability, as an exact patched release version is not independently confirmed in the available data. As a compensating control pending patch deployment, restrict WordPress user registration to prevent unknown parties from obtaining the low-privilege accounts required for exploitation; remove or suspend active subscriber-level accounts that are not operationally necessary, as this eliminates the prerequisite access tier. A web application firewall rule scoped to block unauthorized requests to FlexTable's AJAX or REST endpoints from low-privilege sessions can provide additional layered defense, though WAF tuning requires knowledge of the specific endpoint identifiers. Note that disabling the plugin entirely will interrupt any Google Sheets-linked table content on the site - weigh this trade-off against the low EPSS and SSVC exploitation signal before taking that step.
Same weakness CWE-862 – Missing Authorization
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-31744
GHSA-884p-7x3h-pgqw