CVE-2025-23483: 
WordPress vulnerability analysis and mitigation

A Cross-Site Request Forgery (CSRF) vulnerability was discovered in the Universal Analytics Injector WordPress plugin, affecting all versions up to and including 1.0.3. The vulnerability was identified with CVE-2025-23483 and was publicly disclosed on January 16, 2025. The security researcher SOPROBRO is credited with discovering this vulnerability (WPScan, Patchstack).

The vulnerability stems from missing or incorrect nonce validation on a function within the Universal Analytics Injector plugin. The CVSS score ranges from 6.1 to 7.1 (medium to low severity), with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N. The vulnerability is classified under CWE-352 and falls into the OWASP Top 10 category A2: Broken Authentication and Session Management (WPScan, Patchstack).

The vulnerability allows unauthenticated attackers to update settings and inject malicious web scripts through stored Cross-Site Scripting (XSS) via a forged request. This can occur if an attacker successfully tricks a site administrator into performing specific actions, such as clicking on a malicious link (WPScan).

As of the disclosure date, no official fix is available for this vulnerability. The issue affects version 1.0.3 and earlier versions of the Universal Analytics Injector plugin (Patchstack).