WordPress Plugin Vulnerabilities

ShareThis Dashboard for Google Analytics < 3.2.2 - Missing Authorization to Unauthenticated Feature Deactivation

Description

The ShareThis Dashboard for Google Analytics plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the handle_actions() function in all versions up to, and including, 3.2.1. This makes it possible for unauthenticated attackers to disable all features.

Affects Plugins

Plugin icon
googleanalytics
Fixed in 3.2.2

References

CVE
CVE-2025-1507
URL
https://www.wordfence.com/threat-intel/vulnerabilities/id/314b8638-15e7-461d-a705-3858fe6813e7

Classification

Type
NO AUTHORISATION
OWASP top 10
A5: Broken Access Control
CWE
CWE-862
CVSS
5.3 (medium)

Miscellaneous

Original Researcher
m3ssap0
Verified
No
WPVDB ID
adc13c7a-bc34-4ac0-a3aa-3d36d3b2c06c

Timeline

Publicly Published
2025-03-13 (about 1 year ago)
Added
2025-03-13 (about 1 year ago)
Last Updated
2025-03-14 (about 1 year ago)

Other

Published
Title
Published
2025-06-05
Title
Taskbuilder < 4.0.8 - Missing Authorization
Published
2024-04-26
Title
Tutor LMS < 2.7.0 - Missing Authorization to Unauthenticated Limited Options Update
Published
2024-04-15
Title
User Registration – Custom Registration Form, Login Form, and User Profile WordPress Plugin < 3.2.0 - Missing Authorization to Unauthenticated Media Deletion
Published
2025-12-12
Title
Popup Builder < 1.1.39 - Missing Authorization to Authenticated (Subscriber+) Arbitrary Plugin Settings Reset
Published
2025-12-30
Title
Civic Cookie Control < 1.54 - Missing Authorization