A vulnerability was found in Analytics Insights for Google Analytics 4 Plugin up to 6.2 on WordPress (WordPress Plugin). It has been declared as problematic. Affected by this vulnerability is an unknown code block of the file oauth2callback.php. The manipulation with an unknown input leads to a redirect vulnerability. The CWE definition for the vulnerability is CWE-601. A web application accepts a user-controlled input that specifies a link to an external site, and uses that link in a Redirect. This simplifies phishing attacks. As an impact it is known to affect integrity. The summary by CVE is:

The Analytics Insights for Google Analytics 4 (AIWP) WordPress plugin before 6.3 is vulnerable to Open Redirect due to insufficient validation on the redirect oauth2callback.php file. This makes it possible for unauthenticated attackers to redirect users to potentially malicious sites if they can successfully trick them into performing an action.

The weakness was disclosed 02/12/2024 by Krzysztof Zając. It is possible to read the advisory at wpscan.com. This vulnerability is known as CVE-2024-0250 since 01/05/2024. It demands that the victim is doing some kind of user interaction. Technical details of the vulnerability are known, but there is no available exploit. The attack technique deployed by this issue is T1204.001 according to MITRE ATT&CK.

By approaching the search of inurl:oauth2callback.php it is possible to find vulnerable targets with Google Hacking.

Upgrading to version 6.3 eliminates this vulnerability.

Productinfo

Type

• WordPress Plugin

Name

• Analytics Insights for Google Analytics 4 Plugin

Version

• 6.0
• 6.1
• 6.2

CPE 2.3info

• 🔒
• 🔒
• 🔒

CPE 2.2info

• 🔒
• 🔒
• 🔒

CVSSv4info

CVSSv3info

CVSSv2info

Exploitinginfo

Threat Intelligenceinfo

Countermeasuresinfo

Timelineinfo

Sourcesinfo

Entryinfo

Discussion