{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-22517", "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3", "state": "PUBLISHED", "assignerShortName": "Patchstack", "dateReserved": "2026-01-07T13:44:43.226Z", "datePublished": "2026-01-08T16:22:10.370Z", "dateUpdated": "2026-04-28T16:14:46.501Z"}, "containers": {"cna": {"affected": [{"collectionURL": "https://wordpress.org/plugins", "defaultStatus": "unaffected", "packageName": "ga-for-wp", "product": "GA4WP: Google Analytics for WordPress", "vendor": "Passionate Brains", "versions": [{"lessThanOrEqual": "2.10.0", "status": "affected", "version": "0", "versionType": "custom"}]}], "credits": [{"lang": "en", "type": "finder", "value": "Legion Hunter | Patchstack Bug Bounty Program"}], "datePublic": "2026-04-01T16:44:04.322Z", "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "Missing Authorization vulnerability in Passionate Brains GA4WP: Google Analytics for WordPress ga-for-wp allows Exploiting Incorrectly Configured Access Control Security Levels.<p>This issue affects GA4WP: Google Analytics for WordPress: from n/a through <= 2.10.0.</p>"}], "value": "Missing Authorization vulnerability in Passionate Brains GA4WP: Google Analytics for WordPress ga-for-wp allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects GA4WP: Google Analytics for WordPress: from n/a through <= 2.10.0."}], "impacts": [{"capecId": "CAPEC-180", "descriptions": [{"lang": "en", "value": "Exploiting Incorrectly Configured Access Control Security Levels"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 5.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-862", "description": "Missing Authorization", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "21595511-bba5-4825-b968-b78d1f9984a3", "shortName": "Patchstack", "dateUpdated": "2026-04-28T16:14:46.501Z"}, "references": [{"tags": ["vdb-entry"], "url": "https://patchstack.com/database/Wordpress/Plugin/ga-for-wp/vulnerability/wordpress-ga4wp-google-analytics-for-wordpress-plugin-2-10-0-broken-access-control-vulnerability?_s_id=cve"}], "title": "WordPress GA4WP: Google Analytics for WordPress plugin <= 2.10.0 - Broken Access Control vulnerability"}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-01-08T17:01:20.977773Z", "id": "CVE-2026-22517", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-25T01:57:38.967Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-22517", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-01-08T17:01:20.977773Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-01-08T17:01:26.313Z"}}], "cna": {"title": "WordPress GA4WP: Google Analytics for WordPress plugin <= 2.10.0 - Broken Access Control vulnerability", "credits": [{"lang": "en", "type": "finder", "value": "Legion Hunter | Patchstack Bug Bounty Program"}], "impacts": [{"capecId": "CAPEC-180", "descriptions": [{"lang": "en", "value": "Exploiting Incorrectly Configured Access Control Security Levels"}]}], "metrics": [{"format": "CVSS", "cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.4, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L", "integrityImpact": "LOW", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "LOW", "privilegesRequired": "LOW", "confidentialityImpact": "NONE"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"vendor": "Passionate Brains", "product": "GA4WP: Google Analytics for WordPress", "versions": [{"status": "affected", "version": "0", "versionType": "custom", "lessThanOrEqual": "2.10.0"}], "packageName": "ga-for-wp", "collectionURL": "https://wordpress.org/plugins", "defaultStatus": "unaffected"}], "datePublic": "2026-04-22T14:21:50.860Z", "references": [{"url": "https://patchstack.com/database/Wordpress/Plugin/ga-for-wp/vulnerability/wordpress-ga4wp-google-analytics-for-wordpress-plugin-2-10-0-broken-access-control-vulnerability?_s_id=cve", "tags": ["vdb-entry"]}], "descriptions": [{"lang": "en", "value": "Missing Authorization vulnerability in Passionate Brains GA4WP: Google Analytics for WordPress ga-for-wp allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects GA4WP: Google Analytics for WordPress: from n/a through <= 2.10.0.", "supportingMedia": [{"type": "text/html", "value": "Missing Authorization vulnerability in Passionate Brains GA4WP: Google Analytics for WordPress ga-for-wp allows Exploiting Incorrectly Configured Access Control Security Levels.<p>This issue affects GA4WP: Google Analytics for WordPress: from n/a through <= 2.10.0.</p>", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-862", "description": "Missing Authorization"}]}], "providerMetadata": {"orgId": "21595511-bba5-4825-b968-b78d1f9984a3", "shortName": "Patchstack", "dateUpdated": "2026-04-23T14:14:03.723Z"}}}, "cveMetadata": {"cveId": "CVE-2026-22517", "state": "PUBLISHED", "dateUpdated": "2026-04-25T01:57:38.967Z", "dateReserved": "2026-01-07T13:44:43.226Z", "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3", "datePublished": "2026-01-08T16:22:10.370Z", "assignerShortName": "Patchstack"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Missing Authorization vulnerability in Passionate Brains GA4WP: Google Analytics for WordPress ga-for-wp allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects GA4WP: Google Analytics for WordPress: from n/a through <= 2.10.0."}, {"lang": "es", "value": "Vulnerabilidad de autorizaci\u00f3n faltante en Passionate Brains GA4WP: Google Analytics para WordPress permite la explotaci\u00f3n de niveles de seguridad de control de acceso configurados incorrectamente. Este problema afecta a GA4WP: Google Analytics para WordPress: desde n/a hasta 2.10.0."}], "id": "CVE-2026-22517", "lastModified": "2026-04-23T15:36:37.740", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 5.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 2.5, "source": "audit@patchstack.com", "type": "Secondary"}]}, "published": "2026-01-08T17:15:51.663", "references": [{"source": "audit@patchstack.com", "url": "https://patchstack.com/database/Wordpress/Plugin/ga-for-wp/vulnerability/wordpress-ga4wp-google-analytics-for-wordpress-plugin-2-10-0-broken-access-control-vulnerability?_s_id=cve"}], "sourceIdentifier": "audit@patchstack.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-862"}], "source": "audit@patchstack.com", "type": "Secondary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-28T18:14:58.892374+00:00", "value": {"mitigation_remediation": ["Upgrade the GA4WP plugin to the latest available version that patches the access control flaw.", "If an upgrade is not immediately possible, restrict access to the plugin\u2019s administrative pages by limiting WordPress user roles to administrators only and applying web\u2011application firewall rules to block unauthenticated requests to the plugin\u2019s endpoints.", "Perform a review of the plugin\u2019s analytics configuration and monitor for any unauthorized changes; consider disabling the plugin if it is not required for site functionality."], "summary": {"action": "Patch ASAP", "impact": "Privilege Escalation via Broken Access Control"}, "threat_synthesis": {"affected_systems": "The flaw affects the GA4WP: Google Analytics for WordPress plugin distributed by Passionate Brains. All released versions through and including 2.10.0 are impacted. No other products or versions have been identified.", "description_and_impact": "The vulnerability is a missing authorization flaw in the GA4WP WordPress plugin, allowing an attacker to perform privileged operations that should be restricted. The flaw arises from incorrectly configured access control levels, enabling users without proper permissions to execute admin\u2011level actions. An attacker who can exploit this flaw may modify the plugin\u2019s analytics settings, inject tracking changes, or access sensitive configuration data, undermining the integrity and confidentiality of a site\u2019s analytics data.", "risk_and_exploitability": "The EPSS score is below 1%, indicating a low probability of exploitation, and the issue is not listed in the CISA KEV catalog. The CVSS score of 5.4 reflects a moderate impact level. The attacker\u2019s path is likely a remote web request to the plugin\u2019s administrative endpoints, assuming the site does not have additional access controls. Although the immediate risk level may be moderate due to the low exploitation likelihood, the potential impact of unauthorized configuration changes is significant. Vulnerability is considered CVE-2026-22517."}}}}, "created": "2026-01-09T13:24:30.865199+00:00", "updated": "2026-04-28T18:15:37.379248+00:00", "vendors": ["passionate_brains", "passionate_brains$PRODUCT$ga4wp", "wordpress", "wordpress$PRODUCT$wordpress"]}