What the vulnerability does
01Description
Missing Authorization vulnerability in Passionate Brains GA4WP: Google Analytics for WordPress ga-for-wp allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects GA4WP: Google Analytics for WordPress: from n/a through <= 2.10.0.
Explanation of Vulnerability in Simple Terms
02Summary
GA4WP (Google Analytics for WordPress) versions up to 2.10.0 lack proper authorization checks, allowing authenticated users with low privileges to modify site data and disrupt availability. An attacker with a basic WordPress account can alter analytics settings or cause service degradation without needing higher permissions. Update to a version newer than 2.10.0 to restore proper access controls.
What an attacker can do
03Attacker Capabilities
Modify analytics configuration or disrupt service availability with a low-privilege WordPress account.
Potential impact on your site
04Site Impact
Unauthorized users can tamper with Google Analytics settings or cause the plugin to malfunction, affecting data integrity and site monitoring.
Conditions required to exploit
05Prerequisites
Attacker must have a valid WordPress user account with low-level permissions (e.g., Subscriber or Contributor role).
Key dates
06Disclosure timeline
January 8, 2026
CVE published
April 28, 2026
Record updated