Description
Missing Authorization vulnerability in Solid Plugins AnalyticsWP allows Accessing Functionality Not Properly Constrained by ACLs.This issue affects AnalyticsWP: from n/a through 2.0.0.
Published: 2025-05-19
Score: 5.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability is a missing authorization flaw that allows an attacker to invoke functionality in the AnalyticsWP plugin that should be limited to privileged users. Because the ACLs are not properly enforced, the functionality is not properly restricted, leading to unauthorized access to plugin features.

Affected Systems

All versions of the Solid Plugins AnalyticsWP plugin up to and including 2.0.0 are affected. The vulnerability applies to every deployment that uses these versions without any additional custom restrictions. Any WordPress installation that has the plugin installed and is publicly accessible is at risk.

Risk and Exploitability

The CVSS score of 5.3 indicates medium severity, the EPSS score of less than 1% suggests a low likelihood of exploitation, and the plugin is not in the CISA KEV catalog. The vulnerability involves the plugin’s web interfaces, but the exact attack vector is not explicitly stated in the description and thus requires additional analysis.

Generated by OpenCVE AI on May 2, 2026 at 01:34 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the AnalyticsWP plugin to the latest version released (any version newer than 2.0.0).
  • Restrict plugin endpoint access to users with appropriate WordPress roles or by adding capability checks.
  • If no upgrade is possible, disable or delete the plugin until a patch is released.

Generated by OpenCVE AI on May 2, 2026 at 01:34 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-27950 Missing Authorization vulnerability in Solid Plugins AnalyticsWP allows Accessing Functionality Not Properly Constrained by ACLs.This issue affects AnalyticsWP: from n/a through 2.0.0.
History

Tue, 28 Apr 2026 19:45:00 +0000

Type Values Removed Values Added
References

Tue, 28 Apr 2026 18:30:00 +0000

Type Values Removed Values Added
Description Missing Authorization vulnerability in Solid Plugins AnalyticsWP analyticswp allows Accessing Functionality Not Properly Constrained by ACLs.This issue affects AnalyticsWP: from n/a through <= 2.0.0. Missing Authorization vulnerability in Solid Plugins AnalyticsWP allows Accessing Functionality Not Properly Constrained by ACLs.This issue affects AnalyticsWP: from n/a through 2.0.0.
References

Thu, 23 Apr 2026 15:30:00 +0000

Type Values Removed Values Added
References

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Description Missing Authorization vulnerability in Solid Plugins AnalyticsWP allows Accessing Functionality Not Properly Constrained by ACLs.This issue affects AnalyticsWP: from n/a through 2.0.0. Missing Authorization vulnerability in Solid Plugins AnalyticsWP analyticswp allows Accessing Functionality Not Properly Constrained by ACLs.This issue affects AnalyticsWP: from n/a through <= 2.0.0.
References

Tue, 20 May 2025 14:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 19 May 2025 17:00:00 +0000

Type Values Removed Values Added
Description Missing Authorization vulnerability in Solid Plugins AnalyticsWP allows Accessing Functionality Not Properly Constrained by ACLs.This issue affects AnalyticsWP: from n/a through 2.0.0.
Title WordPress AnalyticsWP plugin <= 2.0.0 - Broken Access Control vulnerability
Weaknesses CWE-862
References
Metrics cvssV3_1

{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T16:12:30.167Z

Reserved: 2025-04-16T06:22:42.846Z

Link: CVE-2025-39388

cve-icon Vulnrichment

Updated: 2025-05-20T14:09:07.706Z

cve-icon NVD

Status : Deferred

Published: 2025-05-19T17:15:27.000

Modified: 2026-04-28T19:31:54.990

Link: CVE-2025-39388

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-02T01:45:26Z

Weaknesses