Google Analytics Dashboard

Potentially unsafe

Last revised: June 25, 2013

Confidence: Medium
This plugin has been given a short, targeted code review.

Before using this plugin, you should very carefully consider its potential problems and should conduct a thorough assessment. Read more about this recommendation.

Warnings

The version of this plugin that this recommendation was based on is known to be vulnerable to attack:

Blind SQL injection in Google Analytics Dashboard could cause denial of service or expose database

This recommendation applies to version 2.0.4 of this plugin, but the most recent version is 2.0.5. These findings may no longer be correct.

View the recommendation for version 2.0.5 of this plugin instead

Findings

Among the issues identified are:

Causes PHP notices – WP deprecation warnings, among other things
A lack of HTML escaping
$wpdb is only used once, but that invocation contains an SQL injection vulnerability which can be exploited by admins or anybody able to make an admin visit a certain address

Reason for the 'Potentially unsafe' result

The plugin contains or is likely to contain a vulnerability which could be exploited by an end user and which would compromise the site’s confidentiality, integrity or availability:

SQL injection.

Failure criteria

Execution of unprepared SQL statements
Failure to use available core functionality
Unsafe request processing
Lack of proper output escaping

dxw advisories

Plugin inspection: