CVE-2024-0250
Published: 12 February 2024
Summary
CVE-2024-0250 is a medium-severity Open Redirect (CWE-601) vulnerability in Deconf Analytics Insights. Its CVSS base score is 6.1 (Medium).
Operationally, ranked in the top 4.2% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
Deeper analysis
The Analytics Insights for Google Analytics 4 (AIWP) WordPress plugin before version 6.3 is affected by an open redirect vulnerability (CWE-601) caused by insufficient validation of redirect parameters in the oauth2callback.php file. The issue carries a CVSS 3.1 score of 6.1 with a vector indicating network attack vector, low complexity, no required privileges, and required user interaction with changed scope.
Unauthenticated attackers can exploit the flaw to redirect victims to arbitrary external sites, provided they first trick a user into performing an action that triggers the oauth2callback flow. Successful exploitation results in limited impacts to confidentiality and integrity without affecting availability.
The referenced WPScan advisory at wpscan.com/vulnerability/321b07d1-692f-48e9-a8e5-a15b38efa979 documents the issue but does not enumerate explicit mitigation steps beyond the version constraint. Exploitation probability reached a peak of 0.2624 on 2025-12-11 before receding to the current value of 0.2116.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2024-16046
Vulnerability details
The Analytics Insights for Google Analytics 4 (AIWP) WordPress plugin before 6.3 is vulnerable to Open Redirect due to insufficient validation on the redirect oauth2callback.php file. This makes it possible for unauthenticated attackers to redirect users to potentially malicious sites…
more
if they can successfully trick them into performing an action.
- CWE(s)
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Likely Mitigating Controls AI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.