Google Analytics Dashboard for WP 5.1.2.4: Security Release

Last Updated on December 16, 2017 by Chris Christoff

Google Analytics Dashboard for WP 5.1.2.4 is now available for download.

Being a security release, we strongly encourage you to update immediately.

Google Analytics Dashboard for WP versions 5.1.2.3 and earlier are affected by a security issue which could potentially be exploited in certain circumstances and timings; requiring the user to display a specific report and take a specific action during an on-going attack.

Security update details

As part of our commitment to security hardening, the following fix has been implemented in 5.1.2.4:

  • filter out specific HTML elements, instead of HTML escaping, in a report, to avoid XSS exploits

I would like to thank to the reporter of this issue for practicing responsible security disclosure: Oways.

As described in the introductory section, for the exploit to be effective, two things must take place at the same time:

  • the user needs to display a specific report and take a specific action
  • at the same time, there must be an ongoing and sustained attack

Updating the plugin

To update the plugin from within your WordPress install:

  • from WordPress administration screen select Plugins > Installed Plugins
  • scroll down to Google Analytics Dashboard for WP (GADWP)
  • Click on the update now┬álink below the plugin name
  • wait until the Updated! message is displayed

If you are using the 5.1.2.x version of the plugin and automatic updates are enabled within the plugin settings, the plugin should update automatically to its latest version.

More details will be available once the majority of sites have updated to Google Analytics Dashboard for WP 5.1.2.4 or a later version.