Analytify < 5.2.4 – Missing Authorization to Unauthenticated Google Analytics Tracking ID Modification | CVE 2024-1584 | Plugin Vulnerabilities

Description

The Analytify – Google Analytics Dashboard For WordPress (GA4 analytics made easy) plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'wpa_check_authentication' function in all versions up to, and including, 5.2.1. This makes it possible for unauthenticated attackers to modify the site's Google Analytics tracking ID.

Affects Plugins

Fixed in 5.2.4

References

CVE

URL

https://www.wordfence.com/threat-intel/vulnerabilities/id/2c399c6a-d5e4-4b88-a0a9-003233d5d59f

Classification

Type

ACCESS CONTROLS

OWASP top 10

A5: Broken Access Control

CWE

CVSS

Miscellaneous

Original Researcher

Francesco Carlucci

Verified

No

WPVDB ID

3df4ff72-0a45-4ae6-b824-799551b705ed

Timeline

Publicly Published

2024-04-26 (about 21 days ago)

Added

2024-04-26 (about 20 days ago)

Last Updated

2024-04-26 (about 20 days ago)

Other

Published

Title

Published

2021-01-28

Title

uListing < 1.7 - Unauthenticated Arbitrary Account Creation

Published

2021-08-25

Title

Advanced Custom Fields < 5.11 - Subscriber+ Arbitrary ACF Data/Field Groups View and Fields Move

Published

2020-12-14

Title

Total Upkeep by BoldGrid < 1.14.10 - Sensitive Data Disclosure (Server IP Address, UID etc)

Published

2022-05-18

Title

JupiterX Core < 2.0.7 - Information Disclosure, Modification, and Denial of Service

Published

2024-03-04

Title

Schema Pro < 2.7.16 - Contributor+ Custom Field Access