Analytify < 5.4.0 – Cross-Site Request Forgery to Opt-out | CVE 2024-43265 | Plugin Vulnerabilities

Description

The Analytify – Google Analytics Dashboard For WordPress (GA4 analytics made easy) plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 5.3.1. This is due to missing or incorrect nonce validation on the optout_yes() function. This makes it possible for unauthenticated attackers to opt out of tracking via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.

Affects Plugins

Fixed in 5.4.0

References

CVE

URL

https://www.wordfence.com/threat-intel/vulnerabilities/id/0e407409-989d-48f8-8135-6071015a6064

Classification

Type

NO AUTHORISATION

OWASP top 10

A5: Broken Access Control

CWE

CVSS

Miscellaneous

Original Researcher

Dhabaleshwar Das

Verified

No

WPVDB ID

9fbba4f7-e0d4-44f1-b141-f0c388ca6770

Timeline

Publicly Published

2024-08-12 (about 1 year ago)

Added

2024-08-22 (about 1 year ago)

Last Updated

2024-08-22 (about 1 year ago)

Other

Published

Title

Published

2025-07-10

Title

Wishlist for WooCommerce < 3.2.4 - Missing Authorization

Published

2026-03-23

Title

PPWP – Password Protect Pages < 1.9.16 - Missing Authorization

Published

2025-08-03

Title

Wikipedia Preview < 1.16.0 - Missing Authorization

Published

2026-05-04

Title

GeekyBot < 1.2.3 - Missing Authorization to Unauthenticated Arbitrary Plugin Installation via 'geekybot_frontendajax' AJAX Action

Published

2026-01-18

Title

AJAX Hits Counter + Popular Posts Widget <= 0.10.210305 - Missing Authorization