Skip to main content

FlexTable EUVDEUVD-2026-31744

| CVE-2026-24582 MEDIUM
Missing Authorization (CWE-862)
2026-05-25 Patchstack GHSA-884p-7x3h-pgqw
4.3
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
4.3 MEDIUM
AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
Low
Availability
None

Lifecycle Timeline

1
Analysis Generated
Jun 08, 2026 - 11:53 vuln.today

DescriptionCVE.org

Missing Authorization vulnerability in WPPOOL FlexTable allows Exploiting Incorrectly Configured Access Control Security Levels.

This issue affects FlexTable: from n/a through 3.24.0.

AnalysisAI

FlexTable WordPress plugin (versions up to and including 3.24.0) by WPPOOL contains a missing authorization vulnerability enabling low-privileged authenticated users to perform restricted plugin actions beyond their intended access level, resulting in limited but unauthorized integrity modifications. The flaw stems from CWE-862 (Missing Authorization), where plugin endpoints fail to verify that an authenticated user holds the required WordPress capability before executing privileged operations. No public exploit code exists and this vulnerability is not in the CISA Known Exploited Vulnerabilities catalog; EPSS scoring at 0.03% (8th percentile) confirms negligible likelihood of broad exploitation at this time.

Technical ContextAI

The FlexTable plugin (WordPress slug: sheets-to-wp-table-live-sync, CPE: cpe:2.3:a:wppool:flextable:*:*:*:*:*:*:*:*) provides table management by syncing Google Sheets data into WordPress-rendered tables. CWE-862 (Missing Authorization) indicates the plugin registers AJAX hooks or REST API endpoints that validate authentication - confirming a user is logged in - but omit the subsequent capability check verifying whether that user's role is authorized to perform the requested action. This is a structurally distinct failure from authentication bypass: the user is correctly identified, but the authorization gate is absent. In WordPress plugin architecture this pattern commonly arises when developers call wp_verify_nonce() without a paired current_user_can() check, allowing any authenticated role - including subscriber - to invoke functionality reserved for editors or administrators.

RemediationAI

Update the FlexTable plugin to a version beyond 3.24.0 once a patched release is available from WPPOOL; verify the specific fixed version number directly via the WordPress plugin repository or the Patchstack advisory at https://patchstack.com/database/wordpress/plugin/sheets-to-wp-table-live-sync/vulnerability/wordpress-flextable-plugin-3-24-0-broken-access-control-vulnerability, as an exact patched release version is not independently confirmed in the available data. As a compensating control pending patch deployment, restrict WordPress user registration to prevent unknown parties from obtaining the low-privilege accounts required for exploitation; remove or suspend active subscriber-level accounts that are not operationally necessary, as this eliminates the prerequisite access tier. A web application firewall rule scoped to block unauthorized requests to FlexTable's AJAX or REST endpoints from low-privilege sessions can provide additional layered defense, though WAF tuning requires knowledge of the specific endpoint identifiers. Note that disabling the plugin entirely will interrupt any Google Sheets-linked table content on the site - weigh this trade-off against the low EPSS and SSVC exploitation signal before taking that step.

Share

EUVD-2026-31744 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy