Unrated severityNVD Advisory· Published Dec 2, 2014· Updated May 6, 2026

CVE-2014-9174

Description

Cross-site scripting (XSS) vulnerability in the Google Analytics by Yoast (google-analytics-for-wordpress) plugin before 5.1.3 for WordPress allows remote attackers to inject arbitrary web script or HTML via the "Manually enter your UA code" (manual_ua_code_field) field in the General Settings.

Affected products

Yoast/Google Analytics3 versions
cpe:2.3:a:yoast:google_analytics:*:*:*:*:*:wordpress:*:*+ 2 more
- cpe:2.3:a:yoast:google_analytics:*:*:*:*:*:wordpress:*:*range: <=5.1.2
- cpe:2.3:a:yoast:google_analytics:5.1:*:*:*:*:wordpress:*:*
- cpe:2.3:a:yoast:google_analytics:5.1.1:*:*:*:*:wordpress:*:*

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

wordpress.org/plugins/google-analytics-for-wordpress/changelog/nvdVendor Advisory
www.securityfocus.com/bid/71330nvd
exchange.xforce.ibmcloud.com/vulnerabilities/99053nvd
twitter.com/yoast/status/537569224307511296nvd
wpvulndb.com/vulnerabilities/7692nvd

News mentions

No linked articles in our index yet.

cvss	0.000
epss	0.000
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000