Description
The Plugin for Google Analytics by IO technologies plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 1.1. This is due to missing or incorrect nonce validation on the Google Analytics settings page (ga.php). This makes it possible for unauthenticated attackers to update the plugin's stored Google Analytics tracking ID option (io-ga-id) via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
Published: 2026-06-30
Score: 4.3 Medium
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The IO Technologies’ Plugin for Google Analytics for WordPress allows an attacker to submit a forged request that bypasses nonce validation on the settings page. By instructing a logged‑in site administrator to visit a crafted link, the attacker can change the stored tracking ID used by the site without authentication. This flaw enables attackers to alter site configuration and potentially track or influence visitor data silently.

Affected Systems

WordPress sites running IO Technologies’ Plugin for Google Analytics up to and including version 1.1 are vulnerable. Administrators using any deployment of this plugin before the patch cannot rely on the plugin’s nonce checks to protect the ga.php settings page.

Risk and Exploitability

The CVSS score of 4.3 indicates a moderate impact. There is no EPSS data currently available, and the vulnerability is not listed in the CISA KEV catalog. The attack requires social engineering to get a site administrator to click a malicious link; no remote code execution or privilege escalation is possible, but the compromise can silently alter analytics data. Given the moderate score and lack of widespread exploitation evidence, the risk is present but limited to configuration manipulation scenarios.

Generated by OpenCVE AI on June 30, 2026 at 07:21 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the plugin to a version newer than 1.1
  • If an upgrade is not immediately possible, disable the plugin or remove the Google Analytics settings page to prevent abuse
  • Add a server‑side nonce check or patch ga.php so that all changes to io-ga-id require a valid authenticated session

Generated by OpenCVE AI on June 30, 2026 at 07:21 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 30 Jun 2026 06:00:00 +0000

Type Values Removed Values Added
Description The Plugin for Google Analytics by IO technologies plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 1.1. This is due to missing or incorrect nonce validation on the Google Analytics settings page (ga.php). This makes it possible for unauthenticated attackers to update the plugin's stored Google Analytics tracking ID option (io-ga-id) via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
Title Plugin for Google Analytics by IO technologies <= 1.1 - Cross-Site Request Forgery via 'ga_id' Parameter
Weaknesses CWE-352
References
Metrics cvssV3_1

{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-06-30T04:30:17.222Z

Reserved: 2026-05-19T12:25:14.699Z

Link: CVE-2026-8944

cve-icon Vulnrichment

No data.

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-30T07:30:06Z

Weaknesses
  • CWE-352

    Cross-Site Request Forgery (CSRF)