Analytify Dashboard < 5.2.0 – Cross-Site Request Forgery | CVE 2023-47841 | Plugin Vulnerabilities

Description

The Analytify – Google Analytics Dashboard For WordPress (GA4 analytics made easy) plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 5.1.1. This is due to missing or incorrect nonce validation on the send_analytics_email function. This makes it possible for unauthenticated attackers to send a feedback email usually sent on uninstall with admin consent via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.

Affects Plugins

Fixed in 5.2.0

References

CVE

URL

https://www.wordfence.com/threat-intel/vulnerabilities/id/d7362f3f-c5d9-4ba0-b9c3-282c58861e2f

Classification

Type

CSRF

OWASP top 10

A2: Broken Authentication and Session Management

CWE

CVSS

Miscellaneous

Original Researcher

Abdi Pranata

Verified

No

WPVDB ID

48e3e170-1d69-4191-8d8a-d1083050770f

Timeline

Publicly Published

2023-11-20 (about 2 years ago)

Added

2023-11-24 (about 2 years ago)

Last Updated

2024-01-22 (about 2 years ago)

Other

Published

Title

Published

2024-12-12

Title

Admin Customization <= 2.2 - Cross-Site Request Forgery to Stored Cross-Site Scripting

Published

2023-01-20

Title

AutomatorWP < 2.5.1 - Object Deletion via CSRF

Published

2022-04-27

Title

Coru LFMember <= 1.0.2 - Arbitrary Game Deletion/Activation via CSRF

Published

2023-08-25

Title

iThemes Sync < 2.1.14 - Cross-Site Request Forgery and Missing Authorization via 'hide_authenticate_notice'

Published

2024-08-29

Title

Tourfic < 2.11.21 - Cross-Site Request Forgery in Multiple Functions