WordPress Plugin Vulnerabilities

Analytify < 6.0.0 - Missing Authorization to Authenticated (Subscriber+) Minor Settings Update

Description

The Analytify – Google Analytics Dashboard For WordPress (GA4 analytics made easy) plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the rated() function in all versions up to, and including, 5.5.1. This makes it possible for authenticated attackers, with Subscriber-level access and above, to set the rated option to true.

Affects Plugins

Plugin icon
wp-analytify
Fixed in 6.0.0

References

CVE
CVE-2025-30897
URL
https://www.wordfence.com/threat-intel/vulnerabilities/id/feb13137-4708-43da-9a5a-b7af8356942d

Classification

Type
NO AUTHORISATION
OWASP top 10
A5: Broken Access Control
CWE
CWE-862
CVSS
4.3 (medium)

Miscellaneous

Original Researcher
Trương Hữu Phúc (truonghuuphuc)
Verified
No
WPVDB ID
3de9c18b-5bbe-4771-8f21-dca24a1c7208

Timeline

Publicly Published
2025-03-27 (about 1 year ago)
Added
2025-04-03 (about 1 year ago)
Last Updated
2025-04-03 (about 1 year ago)

Other

Published
Title
Published
2025-01-16
Title
radSLIDE <= 2.1 - Missing Authorization
Published
2024-07-10
Title
Payflex Payment Gateway < 2.6.0 - Missing Authorization to Order Status Update
Published
2023-12-07
Title
Login With Ajax < 4.2 - Missing Authorization
Published
2024-03-06
Title
Post Form – Registration Form – Profile Form for User Profiles – Frontend Content Forms for User Submissions (UGC) < 2.8.8 - Missing Authorization to Unauthenticated Media Upload
Published
2025-04-18
Title
Booking and Rental Manager < 2.3.7 - Missing Authorization