Google Analyticator WordPress Plugin Vulnerability Patched — Update to Latest Version Now
Thanks to security researcher Nitin Venkatesh, a vulnerability in Google Analyticator WordPress plugin has been patched.
Venkatesh posted on Full Disclosure last week, detailing a security flaw within the Google Analyticator Plugin, which is used by webmasters to see analytics data within the WordPress dashboard.
The plugin has been download over 3.5 million times and Venkatesh was able to find a security flaw, which surely was a matter of concern for millions of users around the world.
The security flaw was discovered in version 126.96.36.199, which allows Cross-Site Request Forgery, along with exploiting of administrative actions offered by the plugin itself.
According to Venkatesh, this “could be used to disrupt the functionality provided by the plugin.”
Going into detail, Venkatesh revealed that an authenticated user, in theory, may visit hacker’s website where requests such as cache clearing and resets, could be submitted via authenticated user logins on vulnerable URLs.
This is a CSRF vulnerability. Consider this scenario where the authenticated user visits another site (belonging to an attacker), where a request could be submitted to the above URL using the authenticate user’s session and the action could be performed – even if the user never wanted something like that to happen,(and) without their knowledge too.
The plugin developer was quick to react and has now published a fix for the problem, meaning the version 188.8.131.52 is now safe to use. Have anything interesting to add to the story? Take to the comments section below.