Cyber Resilience

CVE-2024-0250

MediumPublic PoC

Published: 12 February 2024

Published
12 February 2024
Modified
26 March 2025
KEV Added
Patch
CVSS Score v3.1 6.1 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
EPSS Score 0.2116 95.8th percentile
Risk Priority 25 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2024-0250 is a medium-severity Open Redirect (CWE-601) vulnerability in Deconf Analytics Insights. Its CVSS base score is 6.1 (Medium).

Operationally, ranked in the top 4.2% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

Deeper analysis

The Analytics Insights for Google Analytics 4 (AIWP) WordPress plugin before version 6.3 is affected by an open redirect vulnerability (CWE-601) caused by insufficient validation of redirect parameters in the oauth2callback.php file. The issue carries a CVSS 3.1 score of 6.1 with a vector indicating network attack vector, low complexity, no required privileges, and required user interaction with changed scope.

Unauthenticated attackers can exploit the flaw to redirect victims to arbitrary external sites, provided they first trick a user into performing an action that triggers the oauth2callback flow. Successful exploitation results in limited impacts to confidentiality and integrity without affecting availability.

The referenced WPScan advisory at wpscan.com/vulnerability/321b07d1-692f-48e9-a8e5-a15b38efa979 documents the issue but does not enumerate explicit mitigation steps beyond the version constraint. Exploitation probability reached a peak of 0.2624 on 2025-12-11 before receding to the current value of 0.2116.

EU & UK References

Vulnerability details

The Analytics Insights for Google Analytics 4 (AIWP) WordPress plugin before 6.3 is vulnerable to Open Redirect due to insufficient validation on the redirect oauth2callback.php file. This makes it possible for unauthenticated attackers to redirect users to potentially malicious sites…

more

if they can successfully trick them into performing an action.

CWE(s)

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

deconf
analytics insights
≤ 6.3

Mitigating Controls

Likely Mitigating Controls AI

Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.

addresses: CWE-601

Security awareness includes verifying URLs and avoiding untrusted redirects that lead to malicious sites.

addresses: CWE-601

Validates redirect targets and URLs to ensure they conform to allowed destinations.

References