Google Analytics Dashboard for WP 220.127.116.11 is now available for download.
Being a security release, we strongly encourage you to update immediately.
Google Analytics Dashboard for WP versions 18.104.22.168 and earlier are affected by a security issue which could potentially be exploited in certain circumstances and timings; requiring the user to display a specific report and take a specific action during an on-going attack.
Security update details
As part of our commitment to security hardening, the following fix has been implemented in 22.214.171.124:
- filter out specific HTML elements, instead of HTML escaping, in a report, to avoid XSS exploits
I would like to thank to the reporter of this issue for practicing responsible security disclosure: Oways.
As described in the introductory section, for the exploit to be effective, two things must take place at the same time:
- the user needs to display a specific report and take a specific action
- at the same time, there must be an ongoing and sustained attack
Updating the plugin
To update the plugin from within your WordPress install:
- from WordPress administration screen select Plugins > Installed Plugins
- scroll down to Google Analytics Dashboard for WP (GADWP)
- Click on the update now link below the plugin name
- wait until the Updated! message is displayed
If you are using the 5.1.2.x version of the plugin and automatic updates are enabled within the plugin settings, the plugin should update automatically to its latest version.
More details will be available once the majority of sites have updated to Google Analytics Dashboard for WP 126.96.36.199 or a later version.