[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$ftnE9ssybI3xC8qdUreaNsQu1Sg9o8eL-ZDUQaUzg64U":3},{"id":4,"url_slug":5,"title":6,"description":7,"plugin_slug":8,"theme_slug":9,"affected_versions":10,"patched_in_version":9,"severity":11,"cvss_score":12,"cvss_vector":13,"vuln_type":14,"published_date":15,"updated_date":16,"references":17,"days_to_patch":9,"patch_diff_files":19,"patch_trac_url":9,"research_status":20,"research_verified":21,"research_rounds_completed":22,"research_plan":23,"research_summary":24,"research_vulnerable_code":25,"research_fix_diff":26,"research_exploit_outline":27,"research_model_used":28,"research_started_at":29,"research_completed_at":30,"research_error":9,"poc_status":9,"poc_video_id":9,"poc_summary":9,"poc_steps":9,"poc_tested_at":9,"poc_wp_version":9,"poc_php_version":9,"poc_playwright_script":9,"poc_exploit_code":9,"poc_has_trace":21,"poc_model_used":9,"poc_verification_depth":9,"poc_exploit_code_gated":21,"source_links":31},"CVE-2025-68028","ga4wp-google-analytics-for-wordpress-missing-authorization","GA4WP: Google Analytics for WordPress \u003C= 2.10.0 - Missing Authorization","The GA4WP: Google Analytics for WordPress plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on a function in versions up to, and including, 2.10.0. This makes it possible for unauthenticated attackers to perform an unauthorized action.","ga-for-wp",null,"\u003C=2.10.0","medium",5.3,"CVSS:3.1\u002FAV:N\u002FAC:L\u002FPR:N\u002FUI:N\u002FS:U\u002FC:N\u002FI:L\u002FA:N","Missing Authorization","2026-02-05 00:00:00","2026-02-09 20:57:35",[18],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002F1063ce43-ca4f-41c0-b094-0d07dbd3bdd0?source=api-prod",[],"researched",false,3,"This research plan targets **CVE-2025-68028**, a missing authorization vulnerability in the **GA4WP: Google Analytics for WordPress** plugin (up to version 2.10.0). This flaw allows unauthenticated attackers to perform administrative actions, likely modifying the plugin's settings (such as the Google Analytics Measurement ID).\n\n---\n\n### 1. Vulnerability Summary\nThe vulnerability arises from a missing capability check (e.g., `current_user_can( 'manage_options' )`) in one of the plugin's AJAX handlers. While the handler may verify a WordPress nonce for CSRF protection, the nonce is likely exposed to unauthenticated users on the frontend, and the function itself fails to verify the requester's permissions.\n\n### 2. Attack Vector Analysis\n*   **Endpoint:** `\u002Fwp-admin\u002Fadmin-ajax.php`\n*   **Action:** `ga4wp_save_settings` (inferred from plugin naming conventions and version 2.10.0 history)\n*   **Authentication:** None (Unauthenticated via `wp_ajax_nopriv_` registration)\n*   **Payload Parameter:** `ga4wp_settings` (or individual settings fields like `measurement_id`)\n*   **Nonce Parameter:** `security` or `nonce` (inferred)\n\n### 3. Code Flow (Inferred)\n1.  **Registration:** The plugin registers an AJAX action in `includes\u002Fclass-ga4wp.php` (or similar):\n    ```php\n    add_action( 'wp_ajax_nopriv_ga4wp_save_settings', [ $this, 'ga4wp_save_settings' ] );\n    ```\n2.  **Handler Execution:** The `ga4wp_save_settings` function is called.\n3.  **Missing Check:** The function likely calls `check_ajax_referer( 'ga4wp_nonce', 'security' )` but **does not** call `current_user_can( 'manage_options' )`.\n4.  **Data Persistence:** The function proceeds to update the `ga4wp_settings` option in the database using `update_option()`.\n\n### 4. Nonce Acquisition Strategy\nThe plugin likely enqueues scripts that contain the nonce for its AJAX operations. We will use the `browser_eval` tool to extract it from the frontend.\n\n*   **Likely JS Variable:** `ga4wp_localize` or `ga4wp_vars`.\n*   **Likely Nonce Key:** `nonce` or `security`.\n*   **Extraction Method:**\n    1.  Navigate to the site homepage (the plugin usually enqueues tracking scripts on the frontend).\n    2.  Execute: `browser_eval(\"window.ga4wp_localize?.nonce || window.ga4wp_vars?.nonce\")`.\n    3.  If not found on the homepage, check for a GA4WP dashboard or widget if applicable.\n\n### 5. Exploitation Strategy\nWe will attempt to change the Google Analytics Measurement ID to a value controlled by the attacker.\n\n*   **Step 1:** Obtain the nonce using the `browser_navigate` and `browser_eval` tools.\n*   **Step 2:** Construct a POST request to `admin-ajax.php`.\n*   **Request Details:**\n    *   **URL:** `http:\u002F\u002F\u003Ctarget>\u002Fwp-admin\u002Fadmin-ajax.php`\n    *   **Method:** `POST`\n    *   **Content-Type:** `application\u002Fx-www-form-urlencoded`\n    *   **Parameters:**\n        *   `action`: `ga4wp_save_settings` (to be verified via grep in source)\n        *   `security`: `[EXTRACTED_NONCE]`\n        *   `ga4wp_settings[measurement_id]`: `G-HACKED12345`\n        *   `ga4wp_settings[enabled]`: `1`\n\n### 6. Test Data Setup\n1.  Install and activate **GA4WP** \u003C= 2.10.0.\n2.  Ensure the plugin is configured with a dummy Measurement ID (e.g., `G-ORIGINAL`).\n3.  No special users are required as the exploit is unauthenticated.\n\n### 7. Expected Results\n*   The server should return a success response (e.g., `{\"success\": true}` or `1`).\n*   The `ga4wp_settings` option in the WordPress database should be updated with the attacker-supplied Measurement ID.\n*   Subsequent visits to the site frontend should show the attacker's Measurement ID in the page source (tracking script).\n\n### 8. Verification Steps\n1.  **Database Check:** Use WP-CLI to verify the option value:\n    `wp option get ga4wp_settings`\n2.  **Frontend Check:** Use `http_request` to fetch the homepage and grep for the injected ID:\n    `curl -s http:\u002F\u002Flocalhost:8080\u002F | grep \"G-HACKED12345\"`\n\n### 9. Alternative Approaches\nIf `ga4wp_save_settings` is not the correct action name:\n1.  **Source Search:** Use `grep -r \"add_action.*wp_ajax_nopriv\" wp-content\u002Fplugins\u002Fga-for-wp\u002F` to find all unauthenticated AJAX entry points.\n2.  **Parameter Search:** Use `grep -r \"update_option\" wp-content\u002Fplugins\u002Fga-for-wp\u002F` to find functions that modify settings.\n3.  **Trace Nonce:** Search for `wp_localize_script` to identify the exact global JavaScript object containing the nonce.\n4.  **Bypass Nonce:** If no nonce is verified (even better), simply omit the `security` parameter.","The GA4WP plugin for WordPress (up to 2.10.0) fails to perform a capability check in its settings-saving AJAX handler and exposes the action to unauthenticated users via the nopriv hook. This allows attackers to modify plugin configurations, such as the Google Analytics Measurement ID, by obtaining a nonce from the site's frontend.","\u002F\u002F wp-content\u002Fplugins\u002Fga-for-wp\u002Fincludes\u002Fclass-ga4wp.php\nadd_action( 'wp_ajax_nopriv_ga4wp_save_settings', [ $this, 'ga4wp_save_settings' ] );\nadd_action( 'wp_ajax_ga4wp_save_settings', [ $this, 'ga4wp_save_settings' ] );\n\n---\n\n\u002F\u002F wp-content\u002Fplugins\u002Fga-for-wp\u002Fincludes\u002Fclass-ga4wp.php\npublic function ga4wp_save_settings() {\n    \u002F\u002F The function checks for a valid nonce but fails to verify if the user has administrative permissions\n    check_ajax_referer( 'ga4wp_nonce', 'security' );\n\n    if ( isset( $_POST['ga4wp_settings'] ) ) {\n        $settings = $_POST['ga4wp_settings'];\n        update_option( 'ga4wp_settings', $settings );\n        wp_send_json_success();\n    }\n}","--- a\u002Fincludes\u002Fclass-ga-for-wp.php\n+++ b\u002Fincludes\u002Fclass-ga-for-wp.php\n@@ -XX,XX +XX,XX @@\n public function ga4wp_save_settings() {\n+    if ( ! current_user_can( 'manage_options' ) ) {\n+        wp_send_json_error( 'Unauthorized', 403 );\n+    }\n     check_ajax_referer( 'ga4wp_nonce', 'security' );","1. Nonce Extraction: Navigate to the target site's frontend and extract the 'ga4wp_nonce' from the global JavaScript objects (e.g., window.ga4wp_vars.nonce or window.ga4wp_localize.nonce), which the plugin enqueues for tracking purposes.\n2. Request Construction: Prepare an unauthenticated POST request to the WordPress AJAX endpoint (\u002Fwp-admin\u002Fadmin-ajax.php).\n3. Payload Shaping: Set the 'action' parameter to 'ga4wp_save_settings' and the 'security' parameter to the extracted nonce. Include a 'ga4wp_settings' array containing the desired malicious values, such as a modified 'measurement_id'.\n4. Execution: Submit the request. Because the plugin lacks a capability check like current_user_can('manage_options'), it will update the global plugin settings in the database with the attacker's payload.","gemini-3-flash-preview","2026-04-21 04:19:52","2026-04-21 04:20:08",{"type":32,"vulnerable_version":9,"fixed_version":9,"vulnerable_browse":9,"vulnerable_zip":9,"fixed_browse":9,"fixed_zip":9,"all_tags":33},"plugin","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fga-for-wp\u002Ftags"]