Description
The Wise Analytics plugin for WordPress is vulnerable to Missing Authorization in all versions up to, and including, 1.1.9. This is due to missing capability checks on the REST API endpoint '/wise-analytics/v1/report'. This makes it possible for unauthenticated attackers to access sensitive analytics data including administrator usernames, login timestamps, visitor tracking information, and business intelligence data via the 'name' parameter granted they can send unauthenticated requests.
Published: 2026-01-24
Score: 5.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Information Disclosure via Unauthenticated REST API
Action: Assess Impact
AI Analysis

Impact

The vulnerability in the Wise Analytics WordPress plugin arises from a missing capability check on the REST API endpoint '/wise-analytics/v1/report'. An unauthenticated attacker can send a request containing a 'name' parameter and retrieve sensitive analytics data, including administrator usernames, login timestamps, visitor tracking details, and business intelligence metrics. This flaw results in an information disclosure that could aid further targeted attacks.

Affected Systems

The issue affects all installations of the Wise Analytics plugin for WordPress up to and including version 1.1.9.

Risk and Exploitability

The vulnerability carries a CVSS score of 5.3, indicating moderate severity. The EPSS score is below 1%, suggesting that the likelihood of exploitation is very low at present. It is not listed in the CISA KEV catalogue. An attacker would exploit the vector by issuing unauthenticated HTTP requests to the exposed REST endpoint.

Generated by OpenCVE AI on April 21, 2026 at 00:20 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the Wise Analytics plugin to a version newer than 1.1.9 once available.
  • If an update is not possible immediately, block or restrict the '/wise-analytics/v1/report' endpoint for unauthenticated users via web server rules or a security plugin.
  • Implement role‑based access controls to ensure only users with appropriate capabilities can invoke the endpoint; verify the capability checks are enforced in the code.

Generated by OpenCVE AI on April 21, 2026 at 00:20 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 08 Apr 2026 18:30:00 +0000

Type Values Removed Values Added
References

Mon, 26 Jan 2026 19:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 26 Jan 2026 12:00:00 +0000

Type Values Removed Values Added
First Time appeared Wordpress
Wordpress wordpress
Vendors & Products Wordpress
Wordpress wordpress

Sat, 24 Jan 2026 07:45:00 +0000

Type Values Removed Values Added
Description The Wise Analytics plugin for WordPress is vulnerable to Missing Authorization in all versions up to, and including, 1.1.9. This is due to missing capability checks on the REST API endpoint '/wise-analytics/v1/report'. This makes it possible for unauthenticated attackers to access sensitive analytics data including administrator usernames, login timestamps, visitor tracking information, and business intelligence data via the 'name' parameter granted they can send unauthenticated requests.
Title Wise Analytics <= 1.1.9 - Missing Authorization to Unauthenticated Arbitrary Analytics Database Disclosure via 'name' Parameter
Weaknesses CWE-862
References
Metrics cvssV3_1

{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N'}

Subscriptions

Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T17:27:03.349Z

Reserved: 2025-12-12T20:14:45.895Z

Link: CVE-2025-14609

cve-icon Vulnrichment

Updated: 2026-01-26T18:17:31.238Z

cve-icon NVD

Status : Deferred

Published: 2026-01-24T08:16:05.543

Modified: 2026-04-15T00:35:42.020

Link: CVE-2025-14609

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-21T00:30:22Z

Weaknesses