CVE-2025-68032

Advanced WC Analytics <= 3.19.0 - Missing Authorization to Unauthenticated Settings Update

mediumMissing Authorization

4.3

CVSS Score

4.3

CVSS Score

medium

Severity

4.0.0

Patched in

70d

Time to patch

Description

The AWCA – The Great Analytics Insights for Your eStore plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on a function in all versions up to, and including, 3.19.0. This makes it possible for unauthenticated attackers to update plugin settings.

CVSS Vector Breakdown

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

Required

Scope

Unchanged

None

Confidentiality

Low

Integrity

None

Availability

Technical Details

Affected versions<=3.19.0

PublishedFebruary 5, 2026

Last updatedApril 15, 2026

Affected pluginadvance-wc-analytics

What Changed in the Fix

Changes introduced in v4.0.0

Loading patch diff...

Source Code

WordPress.org SVN

Vulnerable v3.19.0

Browse source Download .zip

Patched v4.0.0

Browse source Download .zip

Research Plan

Unverified

# Exploitation Research Plan: CVE-2025-68032 ## 1. Vulnerability Summary The **Advanced WC Analytics** plugin (versions <= 3.19.0) contains a missing authorization vulnerability that allows unauthenticated users to update plugin settings. The vulnerability exists because settings update logic is pr…

Show full research plan

Exploitation Research Plan: CVE-2025-68032

1. Vulnerability Summary

The Advanced WC Analytics plugin (versions <= 3.19.0) contains a missing authorization vulnerability that allows unauthenticated users to update plugin settings. The vulnerability exists because settings update logic is processed during global hooks (like init or plugins_loaded) or via unauthenticated AJAX actions (nopriv_) without performing capability checks (current_user_can) or properly enforcing nonce verification for authenticated actions.

Specifically, the plugin logic in main/class-awca-auth.php and the included view files (e.g., inc/view/settings.php, inc/view/auth.php) handles $_POST requests to update WordPress options (like awca_auth_settings, awca_event_settings, measurement_key) but lacks a check to ensure the requester has administrative privileges.

2. Attack Vector Analysis

Endpoint: Any WordPress URL (via plugins_loaded or init hooks) or wp-admin/admin-ajax.php.
Action:
- Direct POST requests containing parameters like awca_event_settings, awca_track_settings, or awca_auth_submit.
- AJAX actions: web_awca_un_link, web_awca_tab_update (both have nopriv_ versions registered in AWCA_Auth::__construct).

Research Findings

Static analysis — not yet PoC-verified

Summary

The Advanced WC Analytics plugin for WordPress is vulnerable to unauthorized settings modification due to missing capability checks in several administrative functions. This allows unauthenticated attackers to update plugin configurations, link/unlink Google Analytics accounts, and reset dashboard settings by sending crafted POST requests or triggering specific AJAX actions.

Vulnerable Code

// inc/view/auth.php line 18
/* storing Authentication settings */
if (isset($_POST['awca_auth_submit']) && wp_verify_nonce($_POST['awca_nonce_header'], 'awca_auth_submit')) {
  $awca_auth_settings_save = AWCA_Settings::get_instance()->parse_awca_auth_settings($_POST['awca_auth_settings']);

---

// inc/view/settings.php line 16
/* storing Event settings */
if (isset($_POST['awca_event_settings']) && wp_verify_nonce(sanitize_text_field(wp_unslash($_POST['awca_nonce_header'])), 'awca_event_submit')) {
    $awca_event_settings_save = AWCA_Settings::get_instance()->parse_awca_bool_settings($_POST['awca_event_settings']);

---

// main/class-awca-auth.php line 29
add_action('wp_ajax_nopriv_web_awca_un_link', array($this, 'web_un_link'));
add_action('wp_ajax_web_awca_tab_update', array($this, 'tab_update'));
add_action('wp_ajax_nopriv_web_awca_tab_update', array($this, 'tab_update'));

---

// main/class-awca-auth.php line 240
public function web_un_link()
{
	check_ajax_referer('awca-un-link', 'security');
	delete_option('awca_access_token');
	delete_option('awca_refresh_token');
	delete_option('awca_auth_settings');
	// ... (truncated)

Security Fix

diff -ru /home/deploy/wp-safety.org/data/plugin-versions/advance-wc-analytics/3.19.0/inc/view/auth.php /home/deploy/wp-safety.org/data/plugin-versions/advance-wc-analytics/4.0.0/inc/view/auth.php
--- /home/deploy/wp-safety.org/data/plugin-versions/advance-wc-analytics/3.19.0/inc/view/auth.php	2026-01-29 11:11:06.000000000 +0000
+++ /home/deploy/wp-safety.org/data/plugin-versions/advance-wc-analytics/4.0.0/inc/view/auth.php	2026-04-15 05:28:52.000000000 +0000
@@ -16,6 +16,9 @@
 
 /* storing Authentication settings */
 if (isset($_POST['awca_auth_submit']) && wp_verify_nonce($_POST['awca_nonce_header'], 'awca_auth_submit')) {
+  if (! is_user_logged_in() || !current_user_can('manage_options')) {
+    wp_send_json_error(array('message' => 'Unauthorized'), 403);
+  }
   $awca_auth_settings_save = AWCA_Settings::get_instance()->parse_awca_auth_settings($_POST['awca_auth_settings']);
   if (isset($awca_auth_settings_save['agreement'])) {
     if (!empty($awca_auth_settings_save['property_id']) || !empty($awca_auth_settings_save['tracking_id'])) {
diff -ru /home/deploy/wp-safety.org/data/plugin-versions/advance-wc-analytics/3.19.0/inc/view/settings.php /home/deploy/wp-safety.org/data/plugin-versions/advance-wc-analytics/4.0.0/inc/view/settings.php
--- /home/deploy/wp-safety.org/data/plugin-versions/advance-wc-analytics/3.19.0/inc/view/settings.php	2026-01-29 11:11:06.000000000 +0000
+++ /home/deploy/wp-safety.org/data/plugin-versions/advance-wc-analytics/4.0.0/inc/view/settings.php	2026-04-15 05:28:52.000000000 +0000
@@ -15,6 +15,9 @@
 }
 /* storing Event settings */
 if (isset($_POST['awca_event_settings']) && wp_verify_nonce(sanitize_text_field(wp_unslash($_POST['awca_nonce_header'])), 'awca_event_submit')) {
+    if (! is_user_logged_in() || ! current_user_can('manage_options')) {
+        wp_send_json_error(array('message' => 'Unauthorized'), 403);
+    }
     $awca_event_settings_save = AWCA_Settings::get_instance()->parse_awca_bool_settings($_POST['awca_event_settings']);
     if ($awca_event_settings_save) {
         update_option('awca_event_settings', $awca_event_settings_save);
diff -ru /home/deploy/wp-safety.org/data/plugin-versions/advance-wc-analytics/3.19.0/main/class-awca-auth.php /home/deploy/wp-safety.org/data/plugin-versions/advance-wc-analytics/4.0.0/main/class-awca-auth.php
--- /home/deploy/wp-safety.org/data/plugin-versions/advance-wc-analytics/3.19.0/main/class-awca-auth.php	2026-01-29 11:11:06.000000000 +0000
+++ /home/deploy/wp-safety.org/data/plugin-versions/advance-wc-analytics/4.0.0/main/class-awca-auth.php	2026-04-15 05:28:52.000000000 +0000
@@ -27,11 +27,11 @@
 	{
 		add_action('init', array($this, 'awca_authenticate'));
 		add_action('wp_ajax_web_awca_un_link', array($this, 'web_un_link'));
-		add_action('wp_ajax_nopriv_web_awca_un_link', array($this, 'web_un_link'));
+		//add_action('wp_ajax_nopriv_web_awca_un_link', array($this, 'web_un_link'));
 		add_action('wp_ajax_web_awca_tab_update', array($this, 'tab_update'));
-		add_action('wp_ajax_nopriv_web_awca_tab_update', array($this, 'tab_update'));
+		//add_action('wp_ajax_nopriv_web_awca_tab_update', array($this, 'tab_update'));
 		add_action('wp_ajax_web_awca_revoke_access', array($this, 'web_revoke_access'));
-		add_action('wp_ajax_nopriv_web_awca_revoke_access', array($this, 'web_revoke_access'));
+		//add_action('wp_ajax_nopriv_web_awca_revoke_access', array($this, 'web_revoke_access'));
 		add_action('admin_enqueue_scripts', array($this, 'load_local_script'));
 		add_action('plugins_loaded', array($this, 'new_update_settings'));
 		add_action('wp_dashboard_setup', array($this, 'awca_dashboard_widget'));

Exploit Outline

The vulnerability can be exploited by sending unauthenticated POST requests to the WordPress administrative interface or AJAX endpoint. 1. For AJAX actions (e.g., `web_awca_un_link`): An attacker sends a POST request to `/wp-admin/admin-ajax.php` with the `action` parameter set to the target function. While some AJAX actions check for a nonce via `check_ajax_referer`, they are registered using `wp_ajax_nopriv_` and lack any `current_user_can('manage_options')` checks, making them accessible if the nonce can be retrieved or is not effectively enforced. 2. For settings updates in view files (e.g., `inc/view/auth.php`): An attacker can send a direct POST request to a URL that triggers the plugin's logic (such as an administrative page or during `init`). By providing parameters like `awca_auth_submit`, `awca_event_settings`, or `awca_track_settings` along with the corresponding configuration arrays, they can overwrite the plugin's options in the database without administrative privileges.

References

https://www.wordfence.com/threat-intel/vulnerabilities/id/9122068b-567f-462e-86b8-0419804bd46c?source=api-prod

Check if your site is affected.

Run a free security audit to detect vulnerable plugins, outdated versions, and misconfigurations.

Run free audit Browse CVE database