{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-9635", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2025-08-28T20:11:14.626Z", "datePublished": "2025-09-11T07:24:55.459Z", "dateUpdated": "2026-04-08T17:01:53.791Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T17:01:53.791Z"}, "affected": [{"vendor": "ishan001", "product": "Analytics Reduce Bounce Rate", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "2.3", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The Analytics Reduce Bounce Rate plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 2.3. This is due to missing or incorrect nonce validation on the unbounce_options function. This makes it possible for unauthenticated attackers to modify Google Analytics tracking settings via a forged request granted they can trick a site administrator into performing an action such as clicking on a link."}], "title": "Analytics Reduce Bounce Rate <= 2.3 - Cross-Site Request Forgery", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/787929b7-e8e0-4b24-9556-0198199c417f?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/analytics-unbounce/tags/2.3/analytics-unbounce.php#L86"}, {"url": "https://plugins.trac.wordpress.org/browser/analytics-unbounce/tags/2.3/analytics-unbounce.php#L124"}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-352 Cross-Site Request Forgery (CSRF)", "cweId": "CWE-352", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N", "baseScore": 4.3, "baseSeverity": "MEDIUM"}}], "credits": [{"lang": "en", "type": "finder", "value": "Nabil Irawan"}], "timeline": [{"time": "2025-09-10T18:44:22.000Z", "lang": "en", "value": "Disclosed"}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-09-11T14:03:07.248232Z", "id": "CVE-2025-9635", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-09-11T14:39:22.378Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-9635", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2025-09-11T14:03:07.248232Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-09-11T14:03:09.654Z"}}], "cna": {"title": "Analytics Reduce Bounce Rate <= 2.3 - Cross-Site Request Forgery", "credits": [{"lang": "en", "type": "finder", "value": "Nabil Irawan"}], "metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 4.3, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N"}}], "affected": [{"vendor": "ishan001", "product": "Analytics Reduce Bounce Rate", "versions": [{"status": "affected", "version": "0", "versionType": "semver", "lessThanOrEqual": "2.3"}], "defaultStatus": "unaffected"}], "timeline": [{"lang": "en", "time": "2025-09-10T18:44:22.000Z", "value": "Disclosed"}], "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/787929b7-e8e0-4b24-9556-0198199c417f?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/analytics-unbounce/tags/2.3/analytics-unbounce.php#L86"}, {"url": "https://plugins.trac.wordpress.org/browser/analytics-unbounce/tags/2.3/analytics-unbounce.php#L124"}], "descriptions": [{"lang": "en", "value": "The Analytics Reduce Bounce Rate plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 2.3. This is due to missing or incorrect nonce validation on the unbounce_options function. This makes it possible for unauthenticated attackers to modify Google Analytics tracking settings via a forged request granted they can trick a site administrator into performing an action such as clicking on a link."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-352", "description": "CWE-352 Cross-Site Request Forgery (CSRF)"}]}], "providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T17:01:53.791Z"}}}, "cveMetadata": {"cveId": "CVE-2025-9635", "state": "PUBLISHED", "dateUpdated": "2026-04-08T17:01:53.791Z", "dateReserved": "2025-08-28T20:11:14.626Z", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "datePublished": "2025-09-11T07:24:55.459Z", "assignerShortName": "Wordfence"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "The Analytics Reduce Bounce Rate plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 2.3. This is due to missing or incorrect nonce validation on the unbounce_options function. This makes it possible for unauthenticated attackers to modify Google Analytics tracking settings via a forged request granted they can trick a site administrator into performing an action such as clicking on a link."}], "id": "CVE-2025-9635", "lastModified": "2026-04-15T00:35:42.020", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 1.4, "source": "security@wordfence.com", "type": "Secondary"}]}, "published": "2025-09-11T08:15:38.733", "references": [{"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/analytics-unbounce/tags/2.3/analytics-unbounce.php#L124"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/analytics-unbounce/tags/2.3/analytics-unbounce.php#L86"}, {"source": "security@wordfence.com", "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/787929b7-e8e0-4b24-9556-0198199c417f?source=cve"}], "sourceIdentifier": "security@wordfence.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-352"}], "source": "security@wordfence.com", "type": "Secondary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-21T19:06:29.843215+00:00", "value": {"mitigation_remediation": ["If a newer plugin version that includes proper nonce validation is available, update the plugin.", "If no patch is available, disable or uninstall the plugin to eliminate the vulnerable endpoint.", "Reduce the attack surface by limiting administrator accounts, applying IP whitelisting, enabling two\u2011factor authentication, and monitoring for suspicious links or click events."], "summary": {"action": "Patch if Available", "impact": "Unauthorized modification of Google Analytics tracking settings via CSRF"}, "threat_synthesis": {"affected_systems": "All releases of the Analytics Reduce Bounce Rate plugin by the vendor ishan001 up to and including version 2.3 are affected. No further sub\u2011version details are specified, so the entire \u22642.3 line is vulnerable.", "description_and_impact": "The Analytics Reduce Bounce Rate WordPress plugin is vulnerable to cross\u2011site request forgery due to missing or incorrect nonce validation in the unbounce_options function. An unauthenticated attacker can craft a request that, if a site administrator clicks a link, changes the plugin\u2019s Google Analytics tracking settings. This unauthorized change can result in incorrect analytics data, data integrity issues, or potential unintended data exposure.", "risk_and_exploitability": "The vulnerability has a CVSS score of 4.3, indicating moderate impact, and an EPSS score of less than 1%, suggesting a low likelihood of exploitation at present. It is not listed in the CISA KEV catalog. The attack relies on social engineering, requiring an administrator to be tricked into clicking a forged request. The weakness is identified as CWE\u2011352, a classic CSRF flaw. "}}}}, "created": "2025-09-12T08:03:05.951870+00:00", "updated": "2026-04-21T19:15:26.034157+00:00", "vendors": ["wordpress", "wordpress$PRODUCT$wordpress"]}