CVE-2025-28962 MEDIUM

CVE-2025-28962: WordPress Advanced Google Universal Analytics plugin <= 1.0.3 - Broken Access Control to Sensitive Data Exposure vulnerability

Vendor Stefanoai
Product Advanced Google Universal Analytics
Weakness CWE-862 · Missing authorization
Published August 14, 2025
Last update April 28, 2026
View on NVD All CVEs

CVSS base score

6.5/10
Attack vector Network
Attack complexity Low
Privileges required Low
User interaction None
Confidentiality High
Integrity None

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

What the vulnerability does

01Description

Missing Authorization vulnerability in stefanoai Advanced Google Universal Analytics advanced-google-universal-analytics allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Advanced Google Universal Analytics: from n/a through <= 1.0.3.

Explanation of Vulnerability in Simple Terms

02Summary

Advanced Google Universal Analytics versions 1.0.3 and earlier fail to properly check user permissions before allowing access to sensitive analytics data. An authenticated user with low privileges can read analytics information they should not have access to. The vulnerability requires a valid user account but no special interaction from the victim.

What an attacker can do

03Attacker Capabilities

Read analytics data belonging to other users or restricted accounts.

Potential impact on your site

04Site Impact

Unauthorized users can access sensitive analytics reports and data they should not see.

Conditions required to exploit

05Prerequisites

Attacker must have a valid low-privilege user account on the site.

Key dates

06Disclosure timeline

August 14, 2025 CVE published
April 28, 2026 Record updated

Related vulnerabilities

08Related CVE

CVE-2026-41352 OpenClaw < 2026.3.31 - Remote Code Execution via Node Scope Gate Bypass CVE-2025-12354 Live CSS Preview <= 2.1.4 - Missing Authorization to Authenticated (Subscriber+) Settings Update CVE-2026-6703 Responsive Blocks <= 2.2.1 - Missing Authorization to Authenticated (Contributor+) Arbitrary Modification via AJAX Actions CVE-2025-32221 WordPress EazyDocs plugin <= 2.7.1 - Broken Access Control vulnerability CVE-2025-13317 Appointment Booking Calendar <= 1.3.96 - Missing Authorization to Arbitrary Booking Confirmation via 'cpabc_ipncheck' Parameter