Description
The Analytics Reduce Bounce Rate plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 2.3. This is due to missing or incorrect nonce validation on the unbounce_options function. This makes it possible for unauthenticated attackers to modify Google Analytics tracking settings via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
Published: 2025-09-11
Score: 4.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Unauthorized modification of Google Analytics tracking settings via CSRF
Action: Patch if Available
AI Analysis

Impact

The Analytics Reduce Bounce Rate WordPress plugin is vulnerable to cross‑site request forgery due to missing or incorrect nonce validation in the unbounce_options function. An unauthenticated attacker can craft a request that, if a site administrator clicks a link, changes the plugin’s Google Analytics tracking settings. This unauthorized change can result in incorrect analytics data, data integrity issues, or potential unintended data exposure.

Affected Systems

All releases of the Analytics Reduce Bounce Rate plugin by the vendor ishan001 up to and including version 2.3 are affected. No further sub‑version details are specified, so the entire ≤2.3 line is vulnerable.

Risk and Exploitability

The vulnerability has a CVSS score of 4.3, indicating moderate impact, and an EPSS score of less than 1%, suggesting a low likelihood of exploitation at present. It is not listed in the CISA KEV catalog. The attack relies on social engineering, requiring an administrator to be tricked into clicking a forged request. The weakness is identified as CWE‑352, a classic CSRF flaw.

Generated by OpenCVE AI on April 21, 2026 at 19:06 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • If a newer plugin version that includes proper nonce validation is available, update the plugin.
  • If no patch is available, disable or uninstall the plugin to eliminate the vulnerable endpoint.
  • Reduce the attack surface by limiting administrator accounts, applying IP whitelisting, enabling two‑factor authentication, and monitoring for suspicious links or click events.

Generated by OpenCVE AI on April 21, 2026 at 19:06 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-27656 The Analytics Reduce Bounce Rate plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 2.3. This is due to missing or incorrect nonce validation on the unbounce_options function. This makes it possible for unauthenticated attackers to modify Google Analytics tracking settings via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
History

Fri, 12 Sep 2025 08:15:00 +0000

Type Values Removed Values Added
First Time appeared Wordpress
Wordpress wordpress
Vendors & Products Wordpress
Wordpress wordpress

Thu, 11 Sep 2025 15:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 11 Sep 2025 07:30:00 +0000

Type Values Removed Values Added
Description The Analytics Reduce Bounce Rate plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 2.3. This is due to missing or incorrect nonce validation on the unbounce_options function. This makes it possible for unauthenticated attackers to modify Google Analytics tracking settings via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
Title Analytics Reduce Bounce Rate <= 2.3 - Cross-Site Request Forgery
Weaknesses CWE-352
References
Metrics cvssV3_1

{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N'}

Subscriptions

Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T17:01:53.791Z

Reserved: 2025-08-28T20:11:14.626Z

Link: CVE-2025-9635

cve-icon Vulnrichment

Updated: 2025-09-11T14:03:09.654Z

cve-icon NVD

Status : Deferred

Published: 2025-09-11T08:15:38.733

Modified: 2026-04-15T00:35:42.020

Link: CVE-2025-9635

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-21T19:15:26Z

Weaknesses