A vulnerability which exposed Wordpress websites running the Google Analyticator plugin has been patched.
Revealed by security researcher Nitin Venkatesh on Friday, a security advisory posted on Full Disclosure detailed a flaw found within the Google Analyticator Wordpress plugin, used by webmasters to view Google Analytics data within a Wordpress dashboard.
The plugin, downloaded over 3.5 million times, contains a number of widgets for displaying analytics data in the admin dashboard and on blogs, but a security issue has been found within cache settings.
Discovered in version 18.104.22.168, the security vulnerability allows for Cross-Site Request Forgery (CSRF) and for "the administrative actions allowed by the plugin to be exploited [...] which could be used to disrupt the functionality provided by the plugin," according to Venkatesh. The researcher says that in theory, an authenticated user could visit a website belonging to an attacker where requests -- such as cache clearing and resets -- could be submitted through vulnerable URLS using the authenticated user's session.
Actions could then be performed without the user's consent or knowledge.
The vulnerability was submitted on the Wordpress support forum on June 2 with proof-of-concept examples. Following discussion of the flaw, the Google Analyticator plugin developer updated and patched the security vulnerability on June 18. In order to avoid encountering this security vulnerability, web developers should update their plugin to version 22.214.171.124.
In May a critical security flaw was discovered in the Twenty Fifteen theme and plugin, placing millions of users at risk. Installed in new Wordpress websites by default, the theme's genericons package is loaded with an insecure file dubbed example.html, which is vulnerable to a Document Object Model (DOM)-based XSS vulnerability.
Read on: Top picks
- The five pillars of social selling in the enterprise
- Father's Day 2015: A tech gift pack for under $100
- Severe iOS bug prompts iCloud password theft
- Europol arrests 49 alleged cybercriminals in financial fraud crackdown
- Poweliks Trojan goes fileless to evade detection and removal
- Hackers control medical pumps to administer fatal doses