CVE-2025-12540
Unknown Unknown - Not Provided
Sensitive Information Exposure in ShareThis Dashboard for WordPress

Publication date: 2026-01-07

Last updated on: 2026-01-07

Assigner: Wordfence

Description
The ShareThis Dashboard for Google Analytics plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 3.2.4. This is due to the Google Analytics client_ID and client_secret being stored in plaintext in the publicly visible plugin source. This can allow unauthenticated attackers to craft a link to the sharethis.com server, which will share an authorization token for Google Analytics with a malicious website, if the attacker can trick an administrator logged into the website and Google Analytics to click the link.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-01-07
Last Modified
2026-01-07
Generated
2026-06-16
AI Q&A
2026-01-07
EPSS Evaluated
2026-06-15
NVD
CVE-2025-12540
EUVD
EUVD-2026-1344
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
sharethis dashboard_for_google_analytics to 3.2.4 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-200 The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability in the ShareThis Dashboard for Google Analytics WordPress plugin involves sensitive information exposure. Specifically, the Google Analytics client_ID and client_secret are stored in plaintext within the publicly visible plugin source. This allows unauthenticated attackers to craft a malicious link to the sharethis.com server that, if clicked by an administrator logged into both the website and Google Analytics, can share an authorization token with a malicious website, potentially compromising the Google Analytics account. [2]

Impact Analysis

The vulnerability can lead to unauthorized access to your Google Analytics account by exposing sensitive OAuth client credentials. An attacker can trick an administrator into clicking a crafted link that shares an authorization token with a malicious site. This could result in unauthorized data access or manipulation within your Google Analytics, potentially compromising your website's analytics data and security. [2]

Detection Guidance

You can detect this vulnerability by checking if the ShareThis Dashboard for Google Analytics plugin version is up to and including 3.2.4 and by searching for the presence of exposed client_ID and client_secret in the plugin source files. For example, you can run commands to search for the credentials.json file or the client secret strings in your WordPress plugin directory. A sample command to find the client secret in the plugin directory could be: grep -r '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' /path/to/wordpress/wp-content/plugins/googleanalytics/ or to find the credentials.json file: find /path/to/wordpress/wp-content/plugins/googleanalytics/ -name 'credentials.json'. These commands help identify if sensitive OAuth credentials are stored in plaintext and publicly accessible. [2]

Mitigation Strategies

Immediate mitigation steps include updating the ShareThis Dashboard for Google Analytics plugin to a version later than 3.2.4 where this vulnerability is fixed, or if no update is available, removing or restricting access to the exposed credentials.json file and any plaintext client_ID and client_secret in the plugin source. Additionally, you should rotate the exposed Google Analytics OAuth client credentials to invalidate any potentially compromised tokens and prevent unauthorized access. Finally, educate administrators to avoid clicking suspicious links that could exploit this vulnerability. [2]

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-12540. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart