CVE-2024-6532 in Sheet to Table Live Sync for Google Sheet Plugin
Summary
by MITRE • 08/14/2024
The Sheet to Table Live Sync for Google Sheet plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's STWT_Sheet_Table shortcode in all versions up to, and including, 1.0.1 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
If you want to get best quality of vulnerability data, you may have to visit VulDB.
Analysis
by VulDB Data Team • 03/15/2025
The Sheet to Table Live Sync for Google Sheet plugin presents a critical stored cross-site scripting vulnerability that affects all versions up to and including 1.0.1. This vulnerability resides within the plugin's STWT_Sheet_Table shortcode implementation, where insufficient input sanitization and output escaping mechanisms fail to properly validate or escape user-supplied attributes. The flaw specifically targets authenticated attackers who possess contributor-level access or higher privileges within the WordPress environment, enabling them to exploit this weakness to inject malicious web scripts into affected pages.
The technical nature of this vulnerability stems from the plugin's failure to adequately sanitize input parameters passed through the STWT_Sheet_Table shortcode attributes. When an attacker with sufficient privileges creates or modifies content containing malicious script within these attributes, the plugin stores this unvalidated input without proper escaping mechanisms. Subsequently, when legitimate users access pages containing the affected shortcode, the stored malicious scripts execute in their browsers, creating a persistent cross-site scripting attack vector. This stored XSS vulnerability operates at the server-side storage level rather than during transmission, making it particularly dangerous as the malicious code remains embedded within the WordPress database and executes every time the affected page loads.
The operational impact of this vulnerability extends beyond simple script execution, as it provides attackers with significant privileges within the compromised WordPress environment. With contributor-level access or higher, attackers can inject scripts that may steal session cookies, redirect users to malicious sites, modify page content, or even escalate privileges further within the WordPress installation. The vulnerability affects any user who accesses pages containing the malicious shortcode, making it a persistent threat that can impact multiple users over time. This type of vulnerability aligns with CWE-79 - Improper Neutralization of Input During Web Page Generation, which specifically addresses the failure to properly escape output in web applications.
From a threat modeling perspective, this vulnerability demonstrates how seemingly benign plugin functionality can become a significant attack surface when proper input validation and output escaping mechanisms are absent. The attack requires only contributor-level privileges, which many WordPress installations grant to trusted users or members of organizations, making this vulnerability particularly concerning for sites with multiple user roles. The ATT&CK framework categorizes this as a form of code injection, specifically leveraging the web application's trust in user-provided input. The vulnerability's exploitation process follows a classic stored XSS pattern where the malicious input is stored in the database and later executed during page rendering, making it difficult to detect through simple network monitoring.
Mitigation strategies for this vulnerability should focus on immediate patching of the plugin to version 1.0.2 or later, which presumably contains the necessary input sanitization and output escaping fixes. Administrators should also implement additional security measures including regular security audits of installed plugins, monitoring for suspicious shortcode usage, and implementing content security policies to limit script execution. The vulnerability highlights the importance of proper input validation and output escaping practices, which should be enforced throughout all plugin development processes. Organizations should consider implementing automated scanning tools to detect similar vulnerabilities in their WordPress installations and establish regular update procedures to ensure all plugins remain current with security patches.