CVE-2025-14609
Missing Authorization in Wise Analytics Plugin Exposes Sensitive Data
Publication date: 2026-01-24
Last updated on: 2026-04-08
Assigner: Wordfence
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| wordfence | wise_analytics | to 1.1.9 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-862 | The product does not perform an authorization check when an actor attempts to access a resource or perform an action. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability in the Wise Analytics WordPress plugin (up to version 1.1.9) is due to missing authorization checks on the REST API endpoint '/wise-analytics/v1/report'. The endpoint's permission callback always returns true, meaning it does not enforce any access control. As a result, unauthenticated attackers can send requests to this endpoint and access sensitive analytics data such as administrator usernames, login timestamps, visitor tracking information, and business intelligence data by specifying the 'name' parameter in their requests. [1, 2]
How can this vulnerability impact me? :
This vulnerability can impact you by allowing unauthenticated attackers to access sensitive analytics data without any restrictions. This includes administrator usernames, login timestamps, visitor tracking details, and business intelligence data. Such unauthorized access can lead to privacy breaches, exposure of sensitive operational information, and potential further exploitation of your WordPress site or business intelligence assets. [1, 2]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
You can detect this vulnerability by sending unauthenticated GET requests to the REST API endpoint '/wise-analytics/v1/report' on your WordPress site and checking if sensitive analytics data is returned without authentication. For example, you can use curl commands like: curl -X GET 'https://yourwordpresssite.com/wp-json/wise-analytics/v1/report?name=overview.highlights' or curl -X GET 'https://yourwordpresssite.com/wp-json/wise-analytics/v1/report?name=combined&reports=pages,visitors'. If these requests return data without requiring authentication, the vulnerability is present. [1, 2]
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include disabling or removing the Wise Analytics plugin until a patched version is available, restricting access to the REST API endpoint '/wise-analytics/v1/report' via web server rules or firewall to block unauthenticated requests, and monitoring your WordPress site for unauthorized access. Applying updates from the plugin developer that implement proper permission checks on the REST API endpoint is essential once available. [1, 2]
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The vulnerability allows unauthenticated attackers to access sensitive analytics data, including administrator usernames, login timestamps, visitor tracking information, and business intelligence data. This unauthorized disclosure of sensitive personal and business data could lead to non-compliance with data protection regulations such as GDPR and HIPAA, which require proper access controls and protection of personal and sensitive information. Therefore, the missing authorization in the Wise Analytics plugin's REST API endpoint may result in violations of these standards due to exposure of protected data without consent or proper safeguards. [1, 2]