Logo
Retour à la veille

CVE-2026-8944

Publié : 30 juin 2026
Modifié : 30 juin 2026
Lien officiel NVD
Score CVSS
4.3
MEDIUM

Description détaillée

The Plugin for Google Analytics by IO technologies plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 1.1. This is due to missing or incorrect nonce validation on the Google Analytics settings page (ga.php). This makes it possible for unauthenticated attackers to update the plugin's stored Google Analytics tracking ID option (io-ga-id) via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.

Vecteur d'attaque (CVSS)

Vecteur brut :CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N

Références et Patchs

https://plugins.trac.wordpress.org/browser/io-engagement-analytics/trunk/ga.php#L15https://www.wordfence.com/threat-intel/vulnerabilities/id/16f9ca70-50fe-4fab-8a58-57af795dc000?source=cve

Dernières Vulnérabilités

CVE-2026-9576

The Fluent Booking WordPress plugin before 2.1.2 does not verify ownership of the requested group_id before exporting attendee data via the export endpoint, allowing users with at least the Calendar Manager role to retrieve attendees' PII (name, email, phone, address, payment information) from calendar groups they do not own.

VOIR DÉTAILS

CVE-2026-56809

Multiple laser printers and MFPs (multifunction printers) which implement Ricoh Web Image Monitor contain a reflected cross-site scripting vulnerability. An arbitrary script may be executed on the web browser of the user who accesses Web Image Monitor.

VOIR DÉTAILS

CVE-2026-56808

DGM3103SCT provided by AVTECH Security Corporation contains an OS command injection vulnerability, which may lead to arbitrary command execution with the root privilege by a user who can log in to the web management console of the affected product.

VOIR DÉTAILS