WP Statistics – The Most Popular Privacy-Friendly Analytics Plugin < 14.13.4 – Subscriber+ Arbitrary Plugin Settings Update | CVE 2025-3953 | Plugin Vulnerabilities

Description

The plugin is vulnerable to unauthorized modification of data due to a missing capability check on the 'optionUpdater' function in all versions up to, and including, 14.13.3. This makes it possible for authenticated attackers, with Subscriber-level access and above, to update arbitrary plugin settings.

Affects Plugins

Fixed in 14.13.4

References

CVE

URL

https://www.wordfence.com/threat-intel/vulnerabilities/id/07f7ef07-0f14-4b74-8d47-d5dece4954b0

Classification

Type

NO AUTHORISATION

OWASP top 10

A5: Broken Access Control

CWE

CVSS

Miscellaneous

Original Researcher

Trương Hữu Phúc (truonghuuphuc)

Verified

No

WPVDB ID

4783adeb-0858-4fe8-b69c-772b40a312d9

Timeline

Publicly Published

2025-04-29 (about 1 year ago)

Added

2025-05-01 (about 1 year ago)

Last Updated

2025-05-01 (about 1 year ago)

Other

Published

Title

Published

2022-10-25

Title

Image Hover Effects Ultimate < 9.7.2 - Authenticated Arbitrary Options Change

Published

2026-04-16

Title

HAPPY – Helpdesk Support Ticket System < 1.0.11 - Missing Authorization

Published

2024-08-26

Title

Memberpress < 1.11.35 - Missing Authorization

Published

2026-03-22

Title

12 Step Meeting List < 3.19.10 - Missing Authorization

Published

2025-09-03

Title

Malcure Malware Scanner < 16.9 - Missing Authorization