CVE-2025-64292

Vulnerability

Description The vulnerability is a DOM-Based Cross-Site Scripting (XSS) issue in the Analytics Germanized for Google Analytics plugin for WordPress. The plugin fails to properly neutralize user input during web page generation, allowing attackers to inject arbitrary JavaScript into web pages. This affects all versions from n/a through 1.6.2 [1].

Attack

Vector and Prerequisites Exploitation requires user interaction, such as clicking a malicious link or visiting a crafted page. The attack can be initiated by a privileged user, but successful execution requires another user to perform an action like clicking a link or submitting a form. This makes it a client-side attack that can be leveraged in mass-exploit campaigns targeting thousands of websites [1].

Impact and

Mitigation Successful exploitation allows an attacker to inject malicious scripts, such as redirects, advertisements, or other HTML payloads, which execute when guests visit the site. The severity is considered medium (CVSS 6.5). The vendor has released version 1.6.3 to fix the issue. Users are advised to update immediately or enable auto-updates through Patchstack [1].