The ShareThis Dashboard for Google Analytics plugin for WordPress contains a missing capability check in its handle_actions() function in all versions up to 3.2.1. This flaw allows an unauthenticated attacker to invoke administrative functionality and disable all plugin features, effectively removing Google Analytics integration and any associated site metrics. The impact is a loss of analytics data and a potential disruption to business insights without granting direct access to site content or files.

All WordPress sites using ShareThis Dashboard for Google Analytics plugin version 3.2.1 or earlier are vulnerable. The plugin is identified by the CNA as sharethis:ShareThis Dashboard for Google Analytics and appears in the WordPress ecosystem. No specific operating system or additional software is required beyond a standard WordPress installation with this plugin enabled.

The CVSS score of 5.3 indicates moderate severity, and the EPSS score of less than 1% suggests a very low likelihood of exploitation in the wild. The vulnerability is not listed in the CISA KEV catalog. Attackers can exploit it by sending crafted requests to the plugin’s administrative endpoint without authentication, which triggers the capability check bypass. Compromise results in loss of analytics functionality but does not grant broader site access; the effect is confined to feature deactivation and the loss of data rather than direct code execution or data exfiltration. Due to the moderate CVSS score and low EPSS, the risk remains low to moderate, but remediation is still recommended to preserve analytics integrity and prevent accidental or malicious disabling of the plugin.