CVE-2025-63063

Vulnerability

Overview The Yandex.Metrica plugin for WordPress (versions up to and including 1.2.2) contains a missing authorization vulnerability. The plugin fails to properly validate user permissions for certain functions, allowing attackers to exploit incorrectly configured access control security levels. This broken access control issue means that no authentication or nonce token check is performed, so unprivileged users can execute higher-privileged actions. [1]

Exploitation

Conditions Attackers can exploit this vulnerability without any authentication, as the missing authorization check allows any user—including unauthenticated visitors—to access administrative functions. The vulnerability is suitable for mass-exploit campaigns, where attackers target thousands of websites simultaneously, regardless of their size or popularity. [1]

Impact

Successful exploitation enables an attacker to perform actions normally reserved for higher-privileged users, potentially leading to data exposure, site compromise, or further attacks. The vulnerability has a CVSS score of 5.3 (Medium), reflecting the ease of exploitation and potential for widespread impact. [1]

Mitigation

Immediate action is required: update the plugin to a version beyond 1.2.2. If an update is not available, users should contact their hosting provider or web developer for assistance. The vulnerability is actively used in mass-exploit campaigns, so timely mitigation is critical. [1]