WordPress Plugin Vulnerabilities

ExactMetrics < 8.2.0 - Missing Authorization

Description

The ExactMetrics – Google Analytics Dashboard for WordPress (Website Stats Plugin) plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on a function in all versions up to, and including, 8.1.0. This makes it possible for authenticated attackers, with Contributor-level access and above, to perform an unauthorized action.

Affects Plugins

Plugin icon
google-analytics-dashboard-for-wp
Fixed in 8.2.0

References

CVE
CVE-2025-24750
URL
https://www.wordfence.com/threat-intel/vulnerabilities/id/f7b239b1-c234-40d0-a4bc-f2db54937494

Classification

Type
NO AUTHORISATION
OWASP top 10
A5: Broken Access Control
CWE
CWE-862
CVSS
4.3 (medium)

Miscellaneous

Original Researcher
Rafie Muhammad
Verified
No
WPVDB ID
cfb66190-ef07-4228-a522-0844195c0da4

Timeline

Publicly Published
2025-01-24 (about 1 year ago)
Added
2025-01-28 (about 1 year ago)
Last Updated
2025-01-28 (about 1 year ago)

Other

Published
Title
Published
2025-11-12
Title
Online Booking & Scheduling Calendar for WordPress by vcita < 4.6.0 - Missing Authorization
Published
2025-01-25
Title
Quiz Maker Business, Developer, and Agency - Unauthenticated Stored XSS
Published
2026-02-12
Title
Ashe < 2.268 - Missing Authorization
Published
2025-06-27
Title
PT Project Notebooks 1.0.0 - 1.1.3 - Missing Authorization to Unauthenticated Privilege Escalation via wpnb_pto_new_users_add Function
Published
2024-07-09
Title
WP User Switch <= 1.1.2 - Subscriber+ Privilege Escalation