WordPress Plugin Vulnerabilities

Conversios.io < 7.2.4 - Missing Authorization

Description

The Conversios: Google Analytics GA4, Google Ads, GTM & Multiple Pixel Tracking plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on a function in all versions up to, and including, 7.2.3. This makes it possible for authenticated attackers, with Subscriber-level access and above, to perform an unauthorized action.

Affects Plugins

Plugin icon
enhanced-e-commerce-for-woocommerce-store
Fixed in 7.2.4

References

CVE
CVE-2025-30909
URL
https://www.wordfence.com/threat-intel/vulnerabilities/id/eda9e37d-46c4-4aaa-987b-c5cece146ea9

Classification

Type
NO AUTHORISATION
OWASP top 10
A5: Broken Access Control
CWE
CWE-862
CVSS
4.3 (medium)

Miscellaneous

Original Researcher
Ananda Dhakal
Verified
No
WPVDB ID
8e53b389-27e8-4a41-b67f-ff993cc361cd

Timeline

Publicly Published
2025-03-27 (about 1 year ago)
Added
2025-04-02 (about 1 year ago)
Last Updated
2025-04-02 (about 1 year ago)

Other

Published
Title
Published
2024-07-16
Title
Icegram Express - Email Subscribers, Newsletters and Marketing Automation Plugin < 5.7.27 - Missing Authorization
Published
2024-07-19
Title
Getwid – Gutenberg Blocks < 2.0.11 - Missing Authentication to MailChimp API key update
Published
2026-02-26
Title
Royal Addons for Elementor < 1.7.1053 - Missing Authorization
Published
2025-09-22
Title
TI WooCommerce Wishlist < 2.11.0 - Missing Authorization
Published
2025-11-30
Title
LearnPress < 4.3.0 - Missing Authorization