{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-1507", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2025-02-20T18:57:47.136Z", "datePublished": "2025-03-14T08:23:04.440Z", "dateUpdated": "2026-04-08T16:45:07.542Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T16:45:07.542Z"}, "affected": [{"vendor": "sharethis", "product": "ShareThis Dashboard for Google Analytics", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "3.2.1", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The ShareThis Dashboard for Google Analytics plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the handle_actions() function in all versions up to, and including, 3.2.1. This makes it possible for unauthenticated attackers to disable all features."}], "title": "ShareThis Dashboard for Google Analytics <= 3.2.1 - Missing Authorization to Unauthenticated Feature Deactivation", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/314b8638-15e7-461d-a705-3858fe6813e7?source=cve"}, {"url": "https://plugins.trac.wordpress.org/changeset/3255511/googleanalytics/trunk/class/core/class-ga-controller-core.php"}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-862 Missing Authorization", "cweId": "CWE-862", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", "baseScore": 5.3, "baseSeverity": "MEDIUM"}}], "credits": [{"lang": "en", "type": "finder", "value": "Antonio Francesco Sardella"}], "timeline": [{"time": "2025-03-13T00:00:00.000Z", "lang": "en", "value": "Disclosed"}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-03-14T13:10:59.370888Z", "id": "CVE-2025-1507", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-03-14T13:11:55.574Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-1507", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2025-03-14T13:10:59.370888Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-03-14T13:11:07.167Z"}}], "cna": {"title": "ShareThis Dashboard for Google Analytics <= 3.2.1 - Missing Authorization to Unauthenticated Feature Deactivation", "credits": [{"lang": "en", "type": "finder", "value": "Antonio Francesco Sardella"}], "metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 5.3, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N"}}], "affected": [{"vendor": "sharethis", "product": "ShareThis Dashboard for Google Analytics", "versions": [{"status": "affected", "version": "0", "versionType": "semver", "lessThanOrEqual": "3.2.1"}], "defaultStatus": "unaffected"}], "timeline": [{"lang": "en", "time": "2025-03-13T00:00:00.000Z", "value": "Disclosed"}], "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/314b8638-15e7-461d-a705-3858fe6813e7?source=cve"}, {"url": "https://plugins.trac.wordpress.org/changeset/3255511/googleanalytics/trunk/class/core/class-ga-controller-core.php"}], "descriptions": [{"lang": "en", "value": "The ShareThis Dashboard for Google Analytics plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the handle_actions() function in all versions up to, and including, 3.2.1. This makes it possible for unauthenticated attackers to disable all features."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-862", "description": "CWE-862 Missing Authorization"}]}], "providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T16:45:07.542Z"}}}, "cveMetadata": {"cveId": "CVE-2025-1507", "state": "PUBLISHED", "dateUpdated": "2026-04-08T16:45:07.542Z", "dateReserved": "2025-02-20T18:57:47.136Z", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "datePublished": "2025-03-14T08:23:04.440Z", "assignerShortName": "Wordfence"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:sharethis:dashboard_for_google_analytics:*:*:*:*:*:wordpress:*:*", "matchCriteriaId": "1BCC768D-1A1A-4A70-9F14-BD37CCC5351F", "versionEndExcluding": "3.2.2", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "The ShareThis Dashboard for Google Analytics plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the handle_actions() function in all versions up to, and including, 3.2.1. This makes it possible for unauthenticated attackers to disable all features."}, {"lang": "es", "value": "El complemento ShareThis Dashboard para Google Analytics para WordPress es vulnerable a la modificaci\u00f3n no autorizada de datos debido a la falta de una comprobaci\u00f3n de capacidad en la funci\u00f3n handle_actions() en todas las versiones hasta la 3.2.1 incluida. Esto permite que atacantes no autenticados deshabiliten todas las funciones."}], "id": "CVE-2025-1507", "lastModified": "2025-03-27T01:35:44.843", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 1.4, "source": "security@wordfence.com", "type": "Primary"}]}, "published": "2025-03-14T09:15:14.477", "references": [{"source": "security@wordfence.com", "tags": ["Patch"], "url": "https://plugins.trac.wordpress.org/changeset/3255511/googleanalytics/trunk/class/core/class-ga-controller-core.php"}, {"source": "security@wordfence.com", "tags": ["Third Party Advisory"], "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/314b8638-15e7-461d-a705-3858fe6813e7?source=cve"}], "sourceIdentifier": "security@wordfence.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-862"}], "source": "security@wordfence.com", "type": "Primary"}, {"description": [{"lang": "en", "value": "CWE-862"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-22T17:48:33.200314+00:00", "value": {"mitigation_remediation": ["Update the ShareThis Dashboard for Google Analytics plugin to the latest version (at least 3.2.2) which contains the fixed capability check.", "If an update is not immediately possible, temporarily deactivate or uninstall the plugin to prevent feature deactivation attacks.", "As a short\u2011term workaround, restrict direct access to the plugin\u2019s handle_actions endpoint by applying an is_admin capability check or server\u2011side access rules (e.g., .htaccess rules) so that only authenticated administrators can trigger it."], "summary": {"action": "Apply Patch", "impact": "Unauthorized feature disabling"}, "threat_synthesis": {"affected_systems": "All WordPress sites using ShareThis Dashboard for Google Analytics plugin version 3.2.1 or earlier are vulnerable. The plugin is identified by the CNA as sharethis:ShareThis Dashboard for Google Analytics and appears in the WordPress ecosystem. No specific operating system or additional software is required beyond a standard WordPress installation with this plugin enabled.", "description_and_impact": "The ShareThis Dashboard for Google Analytics plugin for WordPress contains a missing capability check in its handle_actions() function in all versions up to 3.2.1. This flaw allows an unauthenticated attacker to invoke administrative functionality and disable all plugin features, effectively removing Google Analytics integration and any associated site metrics. The impact is a loss of analytics data and a potential disruption to business insights without granting direct access to site content or files.", "risk_and_exploitability": "The CVSS score of 5.3 indicates moderate severity, and the EPSS score of less than 1% suggests a very low likelihood of exploitation in the wild. The vulnerability is not listed in the CISA KEV catalog. Attackers can exploit it by sending crafted requests to the plugin\u2019s administrative endpoint without authentication, which triggers the capability check bypass. Compromise results in loss of analytics functionality but does not grant broader site access; the effect is confined to feature deactivation and the loss of data rather than direct code execution or data exfiltration. Due to the moderate CVSS score and low EPSS, the risk remains low to moderate, but remediation is still recommended to preserve analytics integrity and prevent accidental or malicious disabling of the plugin."}}}}, "created": "2026-04-22T18:00:05.476138+00:00", "updated": "2026-04-22T18:00:05.476154+00:00", "vendors": []}