Cyber Posture

CVE-2025-26773

Medium

Published: 17 February 2025

Published
17 February 2025
Modified
23 April 2026
KEV Added
Patch
CVSS Score 4.3 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
EPSS Score 0.0009 24.8th percentile
Risk Priority 9 60% EPSS · 20% KEV · 20% CVSS

Description

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.

Security Summary

CVE-2025-26773 is a missing authorization vulnerability, mapped to CWE-862, in the Analytify WordPress plugin (wp-analytify) from Adnan Analytify. The issue enables exploitation of incorrectly configured access control security levels and affects the plugin from unspecified initial versions through 5.5.0.

The vulnerability has a CVSS v3.1 base score of 4.3 (AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N), indicating exploitation over the network with low complexity and no user interaction. It requires low privileges, such as an authenticated user with basic access, and results in limited unauthorized disclosure of confidential information without impacting integrity or availability.

Mitigation details are available in the Patchstack advisory at https://patchstack.com/database/Wordpress/Plugin/wp-analytify/vulnerability/wordpress-analytify-plugin-5-5-0-broken-access-control-vulnerability?_s_id=cve.

Details

CWE(s)
CWE-862

Affected Products

analytify
analytify - google analytics dashboard
≤ 5.5.1

MITRE ATT&CK Enterprise Techniques

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
attack.mitre.org →
Why these techniques?

Missing authorization (CWE-862) in a public-facing WordPress plugin directly enables exploitation of public-facing applications over the network with low privileges for unauthorized data disclosure.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

References