Tech

Vulnerability patched in Google Analyticator Wordpress Plugin

The vulnerability allowed Cross-Site Request Forgery and plugin tampering in the Google analytics viewer Wordpress Plugin.

Written by Charlie Osborne, Contributing Writer June 22, 2015 at 12:25 a.m. PT

A vulnerability which exposed Wordpress websites running the Google Analyticator plugin has been patched.

Revealed by security researcher Nitin Venkatesh on Friday, a security advisory posted on Full Disclosure detailed a flaw found within the Google Analyticator Wordpress plugin, used by webmasters to view Google Analytics data within a Wordpress dashboard.

The plugin, downloaded over 3.5 million times, contains a number of widgets for displaying analytics data in the admin dashboard and on blogs, but a security issue has been found within cache settings.

Featured

Discovered in version 6.4.9.3, the security vulnerability allows for Cross-Site Request Forgery (CSRF) and for "the administrative actions allowed by the plugin to be exploited [...] which could be used to disrupt the functionality provided by the plugin," according to Venkatesh. The researcher says that in theory, an authenticated user could visit a website belonging to an attacker where requests -- such as cache clearing and resets -- could be submitted through vulnerable URLS using the authenticated user's session.

Actions could then be performed without the user's consent or knowledge.

The vulnerability was submitted on the Wordpress support forum on June 2 with proof-of-concept examples. Following discussion of the flaw, the Google Analyticator plugin developer updated and patched the security vulnerability on June 18. In order to avoid encountering this security vulnerability, web developers should update their plugin to version 6.4.9.3.

In May a critical security flaw was discovered in the Twenty Fifteen theme and plugin, placing millions of users at risk. Installed in new Wordpress websites by default, the theme's genericons package is loaded with an insecure file dubbed example.html, which is vulnerable to a Document Object Model (DOM)-based XSS vulnerability.