CVE-2025-28962: 
WordPress vulnerability analysis and mitigation

A Missing Authorization vulnerability (CVE-2025-28962) was discovered in the stefanoai Advanced Google Universal Analytics WordPress plugin, affecting versions through 1.0.3. The vulnerability was initially reported on April 24, 2025, by researcher 0xd4rk5id3, and was publicly disclosed on July 28, 2025 (Patchstack).

The vulnerability is classified as a Broken Access Control issue (CWE-862) with a CVSS v3.1 score of 6.5 (Medium). The vulnerability vector is CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N, indicating network accessibility, low attack complexity, and requiring low privileges. The issue stems from missing authorization checks in certain functions, which could allow unprivileged users to execute higher privileged actions (Patchstack).

The vulnerability allows unauthorized access to sensitive data and potential execution of privileged actions by users with subscriber-level access. The issue is considered moderately dangerous and is expected to become actively exploited (Patchstack).

While no official fix is available, Patchstack has issued a virtual patch to mitigate the issue by blocking potential attacks. Website administrators are advised to implement the virtual patch immediately until an official fix becomes available (Patchstack).