Cyber Resilience

CVE-2025-26773

Medium

Published: 17 February 2025

Published
17 February 2025
Modified
23 April 2026
KEV Added
Patch
CVSS Score v3.1 4.3 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
EPSS Score 0.0009 25.0th percentile
Risk Priority 9 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-26773 is a medium-severity Missing Authorization (CWE-862) vulnerability in Analytify Analytify - Google Analytics Dashboard. Its CVSS base score is 4.3 (Medium).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 25.0th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2025-26773 is a missing authorization vulnerability, mapped to CWE-862, in the Analytify WordPress plugin (wp-analytify) from Adnan Analytify. The issue enables exploitation of incorrectly configured access control security levels and affects the plugin from unspecified initial versions through 5.5.0.

The vulnerability has a CVSS v3.1 base score of 4.3 (AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N), indicating exploitation over the network with low complexity and no user interaction. It requires low privileges, such as an authenticated user with basic access, and results in limited unauthorized disclosure of confidential information without impacting integrity or availability.

Mitigation details are available in the Patchstack advisory at https://patchstack.com/database/Wordpress/Plugin/wp-analytify/vulnerability/wordpress-analytify-plugin-5-5-0-broken-access-control-vulnerability?_s_id=cve.

EU & UK References

Vulnerability details

Missing Authorization vulnerability in Adnan Analytify wp-analytify allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Analytify: from n/a through <= 5.5.0.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Why these techniques?

Missing authorization (CWE-862) in a public-facing WordPress plugin directly enables exploitation of public-facing applications over the network with low privileges for unauthorized data disclosure.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2022-45830Same product: Analytify Analytify - Google Analytics Dashboard
CVE-2026-45209Shared CWE-862
CVE-2026-25026Shared CWE-862
CVE-2026-42083Shared CWE-862
CVE-2026-0656Shared CWE-862
CVE-2026-24532Shared CWE-862
CVE-2025-13603Shared CWE-862
CVE-2025-69063Shared CWE-862
CVE-2026-3045Shared CWE-862
CVE-2025-67956Shared CWE-862

Affected Assets

analytify
analytify - google analytics dashboard
≤ 5.5.1

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

AC-3 enforces approved authorizations for access to information and resources, directly countering the missing authorization checks in the Analytify WordPress plugin.

prevent

AC-6 applies least privilege to limit low-privilege users' access, reducing the scope of unauthorized disclosure exploitable via the plugin's broken access control.

prevent

SI-2 mandates timely identification, reporting, and correction of flaws, enabling patching of the vulnerable Analytify plugin versions up to 5.5.0.

References