Description
The ShareThis Dashboard for Google Analytics plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 3.2.4. This is due to the Google Analytics client_ID and client_secret being stored in plaintext in the publicly visible plugin source. This can allow unauthenticated attackers to craft a link to the sharethis.com server, which will share an authorization token for Google Analytics with a malicious website, if the attacker can trick an administrator logged into the website and Google Analytics to click the link.
Published: 2026-01-07
Score: 4.7 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Sensitive Information Exposure
Action: Apply Patch
AI Analysis

Impact

The ShareThis Dashboard for Google Analytics plugin stores the Google Analytics client ID and client secret in plaintext within its public source code for all releases up to and including version 3.2.4. This flaw allows a potential attacker to obtain those credentials and use them to impersonate the site or generate an authorization token that can be chained to a malicious site. The resulting vulnerability enables the exfiltration of Google Analytics data without requiring any authenticated access to the WordPress dashboard.

Affected Systems

WordPress sites that install or have installed the ShareThis Dashboard for Google Analytics plugin version 3.2.4 or earlier. The exact affected product is the ShareThis Dashboard for Google Analytics plugin; no particular operating system or server environment is required beyond standard WordPress hosting.

Risk and Exploitability

The CVSS score of 4.7 indicates a moderate impact risk, while the EPSS score of less than 1% suggests the likelihood of exploitation remains very low. The vulnerability is not listed in CISA’s KEV catalog, further supporting the conclusion that there are currently no known widespread attacks. Attackers would need to lure a site administrator who is currently logged into both WordPress and Google Analytics into clicking a crafted link that forwards an access token to a malicious domain. This inferred attack vector requires social engineering rather than a purely automated exploit.

Generated by OpenCVE AI on April 21, 2026 at 16:45 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the ShareThis Dashboard for Google Analytics plugin to the latest version (3.2.5 or later, where credentials are no longer stored in plaintext)
  • If an upgrade is not possible, remove the client ID and client secret keys from the plugin’s database or configuration files to prevent disclosure
  • Consider switching to an alternative Google Analytics integration that stores credentials securely or uses OAuth flows that do not expose secrets in the code

Generated by OpenCVE AI on April 21, 2026 at 16:45 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 08 Jan 2026 10:00:00 +0000

Type Values Removed Values Added
First Time appeared Sharethis
Sharethis dashboard For Google Analytics
Wordpress
Wordpress wordpress
Vendors & Products Sharethis
Sharethis dashboard For Google Analytics
Wordpress
Wordpress wordpress

Wed, 07 Jan 2026 17:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 07 Jan 2026 08:30:00 +0000

Type Values Removed Values Added
Description The ShareThis Dashboard for Google Analytics plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 3.2.4. This is due to the Google Analytics client_ID and client_secret being stored in plaintext in the publicly visible plugin source. This can allow unauthenticated attackers to craft a link to the sharethis.com server, which will share an authorization token for Google Analytics with a malicious website, if the attacker can trick an administrator logged into the website and Google Analytics to click the link.
Title ShareThis Dashboard for Google Analytics <= 3.2.4 - Unauthenticated Google Analytics Data Exposure
Weaknesses CWE-200
References
Metrics cvssV3_1

{'score': 4.7, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:N/A:N'}

Subscriptions

Sharethis Dashboard For Google Analytics
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T16:58:14.741Z

Reserved: 2025-10-30T23:18:03.695Z

Link: CVE-2025-12540

cve-icon Vulnrichment

Updated: 2026-01-07T16:37:34.985Z

cve-icon NVD

Status : Deferred

Published: 2026-01-07T12:16:46.970

Modified: 2026-04-15T00:35:42.020

Link: CVE-2025-12540

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-21T17:00:12Z

Weaknesses