CVE-2024-1809 - Vulnerability Details - OpenCVE

The Analytify – Google Analytics Dashboard For WordPress (GA4 analytics made easy) plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on AJAX functions in combination with nonce leakage in all versions up to, and including, 5.2.3. This makes it possible for authenticated attackers, with subscriber access and higher, to obtain certain sensitive information related to plugin settings.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact Low

Integrity Impact Low

Availability Impact None

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Analytify	Analytify - Google Analytics Dashboard

Configuration 1 [-]

cpe:2.3:a:analytify:analytify_-_google_analytics_dashboard:*:*:*:*:*:wordpress:*:*

No data.

References

Link	Providers
https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&new=3072410%40wp-analytify%2Ftrunk&old=3024819%40wp-analytify%2Ftrunk&sfp_email=&sfph_mail=
https://www.wordfence.com/threat-intel/vulnerabilities/id/7a659071-df11-4318-86c2-7881163c8b62?source=cve

History

Thu, 05 Jun 2025 20:45:00 +0000

Type	Values Removed	Values Added
First Time appeared		Analytify Analytify analytify - Google Analytics Dashboard
Weaknesses		CWE-862
CPEs		cpe:2.3:a:analytify:analytify_-_google_analytics_dashboard::::::wordpress::*
Vendors & Products		Analytify Analytify analytify - Google Analytics Dashboard

MITRE

Status: PUBLISHED

Assigner: Wordfence

Published: 2024-05-02T16:52:16.449Z

Updated: 2024-08-01T18:48:22.060Z

Reserved: 2024-02-22T22:03:52.084Z

Link: CVE-2024-1809

Vulnrichment

Updated: 2024-08-01T18:48:22.060Z

NVD

Status : Analyzed

Published: 2024-05-02T17:15:13.500

Modified: 2025-06-05T20:21:53.780

Link: CVE-2024-1809

Redhat

No data.

{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2024-1809", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2024-02-22T22:03:52.084Z", "datePublished": "2024-05-02T16:52:16.449Z", "dateUpdated": "2024-08-01T18:48:22.060Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2024-05-02T16:52:16.449Z"}, "affected": [{"vendor": "hiddenpearls", "product": "Analytify \u2013 Google Analytics Dashboard For WordPress (GA4 analytics made easy)", "versions": [{"version": "*", "status": "affected", "lessThanOrEqual": "5.2.3", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The Analytify \u2013 Google Analytics Dashboard For WordPress (GA4 analytics made easy) plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on AJAX functions in combination with nonce leakage in all versions up to, and including, 5.2.3. This makes it possible for authenticated attackers, with subscriber access and higher, to obtain certain sensitive information related to plugin settings."}], "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/7a659071-df11-4318-86c2-7881163c8b62?source=cve"}, {"url": "https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&new=3072410%40wp-analytify%2Ftrunk&old=3024819%40wp-analytify%2Ftrunk&sfp_email=&sfph_mail="}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-497 Exposure of System Data to an Unauthorized Control Sphere"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N", "baseScore": 5.4, "baseSeverity": "MEDIUM"}}], "credits": [{"lang": "en", "type": "finder", "value": "Lucio S\u00e1"}], "timeline": [{"time": "2024-04-29T00:00:00.000+00:00", "lang": "en", "value": "Disclosed"}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2024-07-05T18:52:11.455678Z", "id": "CVE-2024-1809", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-07-05T21:09:40.244Z"}}, {"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-01T18:48:22.060Z"}, "title": "CVE Program Container", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/7a659071-df11-4318-86c2-7881163c8b62?source=cve", "tags": ["x_transferred"]}, {"url": "https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&new=3072410%40wp-analytify%2Ftrunk&old=3024819%40wp-analytify%2Ftrunk&sfp_email=&sfph_mail=", "tags": ["x_transferred"]}]}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CVE Program Container", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/7a659071-df11-4318-86c2-7881163c8b62?source=cve", "tags": ["x_transferred"]}, {"url": "https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&new=3072410%40wp-analytify%2Ftrunk&old=3024819%40wp-analytify%2Ftrunk&sfp_email=&sfph_mail=", "tags": ["x_transferred"]}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-01T18:48:22.060Z"}}, {"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2024-1809", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2024-07-05T18:52:11.455678Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-07-05T21:09:37.426Z"}}], "cna": {"credits": [{"lang": "en", "type": "finder", "value": "Lucio S\u00e1"}], "metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 5.4, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N"}}], "affected": [{"vendor": "hiddenpearls", "product": "Analytify \u2013 Google Analytics Dashboard For WordPress (GA4 analytics made easy)", "versions": [{"status": "affected", "version": "*", "versionType": "semver", "lessThanOrEqual": "5.2.3"}], "defaultStatus": "unaffected"}], "timeline": [{"lang": "en", "time": "2024-04-29T00:00:00.000+00:00", "value": "Disclosed"}], "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/7a659071-df11-4318-86c2-7881163c8b62?source=cve"}, {"url": "https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&new=3072410%40wp-analytify%2Ftrunk&old=3024819%40wp-analytify%2Ftrunk&sfp_email=&sfph_mail="}], "descriptions": [{"lang": "en", "value": "The Analytify \u2013 Google Analytics Dashboard For WordPress (GA4 analytics made easy) plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on AJAX functions in combination with nonce leakage in all versions up to, and including, 5.2.3. This makes it possible for authenticated attackers, with subscriber access and higher, to obtain certain sensitive information related to plugin settings."}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-497 Exposure of System Data to an Unauthorized Control Sphere"}]}], "providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2024-05-02T16:52:16.449Z"}}}, "cveMetadata": {"cveId": "CVE-2024-1809", "state": "PUBLISHED", "dateUpdated": "2024-08-01T18:48:22.060Z", "dateReserved": "2024-02-22T22:03:52.084Z", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "datePublished": "2024-05-02T16:52:16.449Z", "assignerShortName": "Wordfence"}, "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:analytify:analytify_-_google_analytics_dashboard:*:*:*:*:*:wordpress:*:*", "matchCriteriaId": "47928E10-0614-49EC-ACA4-1ED82AE8F3F9", "versionEndExcluding": "5.2.4", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "The Analytify \u2013 Google Analytics Dashboard For WordPress (GA4 analytics made easy) plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on AJAX functions in combination with nonce leakage in all versions up to, and including, 5.2.3. This makes it possible for authenticated attackers, with subscriber access and higher, to obtain certain sensitive information related to plugin settings."}, {"lang": "es", "value": "El complemento Analytify \u2013 Google Analytics Dashboard para WordPress (GA4 Analytics Made Easy) para WordPress es vulnerable al acceso no autorizado a los datos debido a una falta de verificaci\u00f3n de capacidad en las funciones AJAX en combinaci\u00f3n con la fuga de nonce en todas las versiones hasta la 5.2.3 incluida. Esto hace posible que atacantes autenticados, con acceso de suscriptor y superior, obtengan cierta informaci\u00f3n confidencial relacionada con la configuraci\u00f3n del complemento."}], "id": "CVE-2024-1809", "lastModified": "2025-06-05T20:21:53.780", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 2.5, "source": "security@wordfence.com", "type": "Secondary"}]}, "published": "2024-05-02T17:15:13.500", "references": [{"source": "security@wordfence.com", "tags": ["Patch"], "url": "https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&new=3072410%40wp-analytify%2Ftrunk&old=3024819%40wp-analytify%2Ftrunk&sfp_email=&sfph_mail="}, {"source": "security@wordfence.com", "tags": ["Third Party Advisory"], "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/7a659071-df11-4318-86c2-7881163c8b62?source=cve"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Patch"], "url": "https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&new=3072410%40wp-analytify%2Ftrunk&old=3024819%40wp-analytify%2Ftrunk&sfp_email=&sfph_mail="}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Third Party Advisory"], "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/7a659071-df11-4318-86c2-7881163c8b62?source=cve"}], "sourceIdentifier": "security@wordfence.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-862"}], "source": "nvd@nist.gov", "type": "Primary"}]}