CSRF in Google Analytics MU 2.3


Last revised:

If an admin visits a page of the attacker’s choosing then the plugin’s settings can be altered. This could cause a mild disruption by breaking analytics until the problem is noticed, or if the attacker substitutes an analytics code they own they could gain access to the analytics data until the organisation notices the problem.

There should be a nonce check around line 71 of google-analytics-mu.php and a nonce around line 86.

Current state: Fixed

CVSS Summary

CVSS base scores for this vulnerability
Score 5.8 Medium
Vector Network
Complexity Medium
Authentication None
Confidentiality Partial
Integrity Partial
Availability None
You can read more about CVSS base scores on Wikipedia or in the CVSS specification.

Proof of concept

A simple form which changes the analytics code to “abc”:

<form method="POST" action="http://localhost/wp-admin/network/settings.php?page=google-analytics-mu-network">
  <input type="text" name="UAIDsuper" value="abc">
  <input type="submit">

Advisory timeline

  • 2014-02-19: Discovered
  • 2014-02-26: Reported
  • 2014-02-27: Vendor reports fixed

Mitigation/further actions

Update to version 2.4 or greater.