Reporter Nitin Venkatesh
`# Title: Cross-Site Request Forgery in Google Analyticator Wordpress Plugin
v18.104.22.168 before rev @1183563
# Submitter: Nitin Venkatesh
# Product: Google Analyticator Wordpress Plugin
# Product URL: https://wordpress.org/plugins/google-analyticator/
# Vulnerability Type: Cross-Site Request Forgery [CWE-352]
# Affected Versions: v22.214.171.124 before rev @1183563 and possibly earlier
# Tested versions: v126.96.36.199 rev @1168849
# Fixed Version: v188.8.131.52 rev @1183563
# Link to code diff: https://plugins.trac.wordpress.org/changeset/1183563/
# CVE Status: None/Unassigned/Fresh
## Product Information:
Google Analyticator makes it super easy to view Google Analytics within
your WordPress dashboard. This eliminates the need to edit your template
code to begin logging. Google Analyticator also includes several widgets
for displaying Analytics data in the admin and on your blog.
One of the most popular WordPress plugins for Google Analytics! Over 3.5+
## Vulnerability Description:
The administrative actions allowed by the plugin can be exploited using
CSRF which could be used to disrupt the functionality provided by the
Upgrade to v184.108.40.206 rev @1183563
## Disclosure Timeline:
2015-05-30 - Contacted developer via forums.
2015-06-02 - Vulnerability details submitted on the forums on developer's
2015-06-13 - Re-contacted developer on the forums.
2015-06-18 - Update released.
2015-06-19 - Publishing to Full Disclosure mailing list
This disclosure is purely meant for educational purposes. I will in no way
be responsible as to how the information in this disclosure is used.