The plugin, downloaded over 3.5 million times, contains a number of widgets for displaying analytics data in the admin dashboard and on blogs, but a security issue has been found within cache settings.
Discovered in version 18.104.22.168, the security vulnerability allows for Cross-Site Request Forgery (CSRF) and for "the administrative actions allowed by the plugin to be exploited [...] which could be used to disrupt the functionality provided by the plugin," according to Venkatesh. The researcher says that in theory, an authenticated user could visit a website belonging to an attacker where requests -- such as cache clearing and resets -- could be submitted through vulnerable URLS using the authenticated user's session.
Actions could then be performed without the user's consent or knowledge.
The vulnerability was submitted on the Wordpress support forum on June 2 with proof-of-concept examples. Following discussion of the flaw, the Google Analyticator plugin developer updated and patched the security vulnerability on June 18. In order to avoid encountering this security vulnerability, web developers should update their plugin to version 22.214.171.124.
In May a critical security flaw was discovered in the Twenty Fifteen theme and plugin, placing millions of users at risk. Installed in new Wordpress websites by default, the theme's genericons package is loaded with an insecure file dubbed example.html, which is vulnerable to a Document Object Model (DOM)-based XSS vulnerability.
14 Chrome browser extensions for a streamlined experience