WordPress Plugin Vulnerabilities

ShareThis Dashboard for Google Analytics <= 3.2.4 - Unauthenticated Google Analytics Data Exposure

Description

The ShareThis Dashboard for Google Analytics plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 3.2.4. This is due to the Google Analytics client_ID and client_secret being stored in plaintext in the publicly visible plugin source. This can allow unauthenticated attackers to craft a link to the sharethis.com server, which will share an authorization token for Google Analytics with a malicious website, if the attacker can trick an administrator logged into the website and Google Analytics to click the link.

Affects Plugins

Plugin icon
googleanalytics
No known fix

References

CVE
CVE-2025-12540
URL
https://www.wordfence.com/threat-intel/vulnerabilities/id/6781dcc5-db95-43ca-9042-a3c05414b7e6

Classification

Type
SENSITIVE DATA DISCLOSURE
OWASP top 10
A3: Sensitive Data Exposure
CWE
CWE-200
CVSS
4.7 (medium)

Miscellaneous

Original Researcher
ifoundbug
Verified
No
WPVDB ID
add3b81f-f6fb-4a49-9b10-f2b13f50821b

Timeline

Publicly Published
2026-01-06 (about 4 months ago)
Added
2026-01-06 (about 4 months ago)
Last Updated
2026-04-25 (about 29 days ago)

Other

Published
Title
Published
2023-03-16
Title
WP Tiles <= 1.1.2 - Subscriber+ Draft/Private Post Title Disclosure
Published
2024-10-21
Title
All-in-One WP Migration and Backup < 7.87 - Unauthenticated Information Disclosure via Error Logs
Published
2025-12-04
Title
User Spam Remover <= 1.1 - Unauthenticated Information Exposure
Published
2024-06-04
Title
LearnPress – WordPress LMS Plugin < 4.2.6.8.1 - Basic Information Disclosure via JSON API
Published
2026-04-23
Title
Booking for Appointments and Events Calendar – Amelia < 2.2.1 - Unauthenticated Information Exposure