CVE-2025-28962 (GCVE-0-2025-28962)

Vulnerability from cvelistv5 – Published: 2025-08-14 10:34 – Updated: 2025-08-14 19:47
VLAI?
Title
WordPress Advanced Google Universal Analytics plugin <= 1.0.3 - Broken Access Control to Sensitive Data Exposure vulnerability
Summary
Missing Authorization vulnerability in stefanoai Advanced Google Universal Analytics allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Advanced Google Universal Analytics: from n/a through 1.0.3.
Severity ?
6.5 (Medium)
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
CWE
Assigner
References
Impacted products
Vendor Product Version
stefanoai Advanced Google Universal Analytics Affected: n/a , ≤ 1.0.3 (custom)
Create a notification for this product.
Credits
0xd4rk5id3 (Patchstack Alliance)
Show details on NVD website
To clipboard Create KEV Entry 

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2025-28962",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-08-14T19:47:40.192848Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-08-14T19:47:51.804Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "collectionURL": "https://wordpress.org/plugins",
          "defaultStatus": "unaffected",
          "packageName": "advanced-google-universal-analytics",
          "product": "Advanced Google Universal Analytics",
          "vendor": "stefanoai",
          "versions": [
            {
              "lessThanOrEqual": "1.0.3",
              "status": "affected",
              "version": "n/a",
              "versionType": "custom"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "type": "finder",
          "user": "00000000-0000-4000-9000-000000000000",
          "value": "0xd4rk5id3 (Patchstack Alliance)"
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "\u003cp\u003eMissing Authorization vulnerability in stefanoai Advanced Google Universal Analytics allows Exploiting Incorrectly Configured Access Control Security Levels.\u003c/p\u003e\u003cp\u003eThis issue affects Advanced Google Universal Analytics: from n/a through 1.0.3.\u003c/p\u003e"
            }
          ],
          "value": "Missing Authorization vulnerability in stefanoai Advanced Google Universal Analytics allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Advanced Google Universal Analytics: from n/a through 1.0.3."
        }
      ],
      "impacts": [
        {
          "capecId": "CAPEC-180",
          "descriptions": [
            {
              "lang": "en",
              "value": "CAPEC-180 Exploiting Incorrectly Configured Access Control Security Levels"
            }
          ]
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 6.5,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "NONE",
            "privilegesRequired": "LOW",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
            "version": "3.1"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-862",
              "description": "CWE-862 Missing Authorization",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-08-14T10:34:34.593Z",
        "orgId": "21595511-bba5-4825-b968-b78d1f9984a3",
        "shortName": "Patchstack"
      },
      "references": [
        {
          "tags": [
            "vdb-entry"
          ],
          "url": "https://patchstack.com/database/wordpress/plugin/advanced-google-universal-analytics/vulnerability/wordpress-advanced-google-universal-analytics-plugin-1-0-3-broken-access-control-to-sensitive-data-exposure-vulnerability?_s_id=cve"
        }
      ],
      "source": {
        "discovery": "EXTERNAL"
      },
      "title": "WordPress Advanced Google Universal Analytics plugin \u003c= 1.0.3 - Broken Access Control to Sensitive Data Exposure vulnerability",
      "x_generator": {
        "engine": "Vulnogram 0.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3",
    "assignerShortName": "Patchstack",
    "cveId": "CVE-2025-28962",
    "datePublished": "2025-08-14T10:34:34.593Z",
    "dateReserved": "2025-03-11T08:10:19.510Z",
    "dateUpdated": "2025-08-14T19:47:51.804Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1",
  "vulnerability-lookup:meta": {
    "nvd": "{\"cve\":{\"id\":\"CVE-2025-28962\",\"sourceIdentifier\":\"audit@patchstack.com\",\"published\":\"2025-08-14T11:15:31.200\",\"lastModified\":\"2025-08-14T13:11:53.633\",\"vulnStatus\":\"Awaiting Analysis\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"Missing Authorization vulnerability in stefanoai Advanced Google Universal Analytics allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Advanced Google Universal Analytics: from n/a through 1.0.3.\"},{\"lang\":\"es\",\"value\":\"La vulnerabilidad de falta de autorizaci\u00f3n en stefanoai Advanced Google Universal Analytics permite explotar niveles de seguridad de control de acceso configurados incorrectamente. Este problema afecta a Advanced Google Universal Analytics desde n/d hasta la versi\u00f3n 1.0.3.\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"audit@patchstack.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N\",\"baseScore\":6.5,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"LOW\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"NONE\",\"availabilityImpact\":\"NONE\"},\"exploitabilityScore\":2.8,\"impactScore\":3.6}]},\"weaknesses\":[{\"source\":\"audit@patchstack.com\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-862\"}]}],\"references\":[{\"url\":\"https://patchstack.com/database/wordpress/plugin/advanced-google-universal-analytics/vulnerability/wordpress-advanced-google-universal-analytics-plugin-1-0-3-broken-access-control-to-sensitive-data-exposure-vulnerability?_s_id=cve\",\"source\":\"audit@patchstack.com\"}]}}",
    "vulnrichment": {
      "containers": "{\"cna\": {\"providerMetadata\": {\"orgId\": \"21595511-bba5-4825-b968-b78d1f9984a3\", \"shortName\": \"Patchstack\", \"dateUpdated\": \"2025-08-14T10:34:34.593Z\"}, \"title\": \"WordPress Advanced Google Universal Analytics plugin \u003c= 1.0.3 - Broken Access Control to Sensitive Data Exposure vulnerability\", \"problemTypes\": [{\"descriptions\": [{\"cweId\": \"CWE-862\", \"description\": \"CWE-862 Missing Authorization\", \"lang\": \"en\", \"type\": \"CWE\"}]}], \"impacts\": [{\"capecId\": \"CAPEC-180\", \"descriptions\": [{\"lang\": \"en\", \"value\": \"CAPEC-180 Exploiting Incorrectly Configured Access Control Security Levels\"}]}], \"affected\": [{\"vendor\": \"stefanoai\", \"collectionURL\": \"https://wordpress.org/plugins\", \"defaultStatus\": \"unaffected\", \"packageName\": \"advanced-google-universal-analytics\", \"product\": \"Advanced Google Universal Analytics\", \"versions\": [{\"lessThanOrEqual\": \"1.0.3\", \"status\": \"affected\", \"version\": \"n/a\", \"versionType\": \"custom\"}]}], \"descriptions\": [{\"lang\": \"en\", \"value\": \"Missing Authorization vulnerability in stefanoai Advanced Google Universal Analytics allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Advanced Google Universal Analytics: from n/a through 1.0.3.\", \"supportingMedia\": [{\"type\": \"text/html\", \"base64\": false, \"value\": \"\u003cp\u003eMissing Authorization vulnerability in stefanoai Advanced Google Universal Analytics allows Exploiting Incorrectly Configured Access Control Security Levels.\u003c/p\u003e\u003cp\u003eThis issue affects Advanced Google Universal Analytics: from n/a through 1.0.3.\u003c/p\u003e\"}]}], \"references\": [{\"tags\": [\"vdb-entry\"], \"url\": \"https://patchstack.com/database/wordpress/plugin/advanced-google-universal-analytics/vulnerability/wordpress-advanced-google-universal-analytics-plugin-1-0-3-broken-access-control-to-sensitive-data-exposure-vulnerability?_s_id=cve\"}], \"metrics\": [{\"format\": \"CVSS\", \"scenarios\": [{\"lang\": \"en\", \"value\": \"GENERAL\"}], \"cvssV3_1\": {\"baseScore\": 6.5, \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N\", \"baseSeverity\": \"MEDIUM\", \"attackComplexity\": \"LOW\", \"attackVector\": \"NETWORK\", \"availabilityImpact\": \"NONE\", \"confidentialityImpact\": \"HIGH\", \"integrityImpact\": \"NONE\", \"privilegesRequired\": \"LOW\", \"scope\": \"UNCHANGED\", \"userInteraction\": \"NONE\", \"version\": \"3.1\"}}], \"credits\": [{\"lang\": \"en\", \"type\": \"finder\", \"user\": \"00000000-0000-4000-9000-000000000000\", \"value\": \"0xd4rk5id3 (Patchstack Alliance)\"}], \"source\": {\"discovery\": \"EXTERNAL\"}, \"x_generator\": {\"engine\": \"Vulnogram 0.2.0\"}}, \"adp\": [{\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2025-28962\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"none\"}, {\"Automatable\": \"no\"}, {\"Technical Impact\": \"partial\"}], \"version\": \"2.0.3\", \"timestamp\": \"2025-08-14T19:47:40.192848Z\"}}}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2025-08-14T19:47:44.585Z\"}}]}",
      "cveMetadata": "{\"cveId\": \"CVE-2025-28962\", \"assignerOrgId\": \"21595511-bba5-4825-b968-b78d1f9984a3\", \"state\": \"PUBLISHED\", \"assignerShortName\": \"Patchstack\", \"dateReserved\": \"2025-03-11T08:10:19.510Z\", \"datePublished\": \"2025-08-14T10:34:34.593Z\", \"dateUpdated\": \"2025-08-14T19:47:51.804Z\"}",
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }
  }
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.