CVE-2026-22517

The GA4WP: Google Analytics for WordPress plugin (versions up to and including 2.10.0) suffers from a missing authorization vulnerability. This is a broken access control issue where the plugin fails to properly check permissions or nonce tokens for certain functions, potentially allowing unprivileged users to perform actions normally reserved for higher privileged roles [1].

Exploitation does not require authentication from a privileged account; any user, including subscribers, can leverage missing authorization checks to execute unauthorized operations. The vulnerability is categorized as Medium severity (CVSS v3.1 base score 5.4) and is known to be used in mass-exploit campaigns targeting thousands of websites [1].

Successful exploitation could allow an attacker to modify plugin settings, access sensitive analytics data, or perform other administrative actions without proper authorization. The exact impact depends on the unprotected functions but typically leads to privilege escalation or information disclosure [1].

As of the advisory publication, the vendor has not released a patched version. Users are strongly advised to update the plugin immediately when a fix becomes available, or contact their hosting provider for assistance if updating is not possible [1].