Description
Missing Authorization vulnerability in Passionate Brains Advanced WC Analytics advance-wc-analytics allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Advanced WC Analytics: from n/a through <= 3.19.0.
Published: 2026-02-20
Score: 6.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Privilege Escalation
Action: Patch Update
AI Analysis

Impact

The vulnerability is a missing authorization flaw that permits unauthorized parties to modify settings within the WordPress Advanced WC Analytics plugin. This flaw enables privileged actions such as changing analytics configuration, potentially leading to incorrect data collection or exposing sensitive information. The weakness is identified as CWE-862 (Missing Authorization) and directly undermines the integrity of the plugin’s configuration data.

Affected Systems

The affected product is Passionate Brains' Advanced WC Analytics plugin for WordPress. All releases up to and including version 3.19.0 are impacted; later releases are not listed as vulnerable.

Risk and Exploitability

The CVSS score of 6.5 indicates a moderate severity vulnerability, while the EPSS score of less than 1 % suggests a very low probability of exploitation at the time of analysis. The plugin is not listed in the CISA KEV catalog. Based on the description, it is inferred that an attacker must either be authenticated to the WordPress admin interface or have exploited credential reuse or a misconfiguration that grants sufficient privileges. Once such access is gained, the attacker can modify plugin settings at will. Due to the limited exploitation window and the absence of a known public exploit, the overall risk remains moderate but should not be ignored.

Generated by OpenCVE AI on April 28, 2026 at 09:35 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Advanced WC Analytics plugin to the latest version (≥ 3.20) to incorporate the vendor fix for the missing authorization issue.
  • Review and restrict WordPress user roles so that only trusted administrators have the capability required to modify Advanced WC Analytics settings.
  • Audit the plugin’s settings and review any recent changes; consider enabling alerts for configuration modifications to detect unauthorized activity early.
  • If upgrading immediately is not possible, disable the plugin’s configuration editing interface for all users below the administrator level to mitigate potential exploitation.

Generated by OpenCVE AI on April 28, 2026 at 09:35 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Sat, 25 Apr 2026 12:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:L'}

 cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L'}

Wed, 25 Feb 2026 20:30:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:L'}

Mon, 23 Feb 2026 15:00:00 +0000

Type Values Removed Values Added
First Time appeared Passionate Brains
Passionate Brains advanced Wc Analytics
Wordpress
Wordpress wordpress
Vendors & Products Passionate Brains
Passionate Brains advanced Wc Analytics
Wordpress
Wordpress wordpress

Fri, 20 Feb 2026 16:15:00 +0000

Type Values Removed Values Added
Description Missing Authorization vulnerability in Passionate Brains Advanced WC Analytics advance-wc-analytics allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Advanced WC Analytics: from n/a through <= 3.19.0.
Title WordPress Advanced WC Analytics plugin <= 3.19.0 - Settings Change vulnerability
Weaknesses CWE-862
References

Subscriptions

Passionate Brains Advanced Wc Analytics
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T16:14:27.001Z

Reserved: 2025-12-15T10:01:03.746Z

Link: CVE-2025-68032

cve-icon Vulnrichment

Updated: 2026-02-25T19:53:50.536Z

cve-icon NVD

Status : Deferred

Published: 2026-02-20T16:22:08.220

Modified: 2026-04-27T19:16:22.810

Link: CVE-2025-68032

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-28T09:45:28Z

Weaknesses