A vulnerability in older versions of the Google Analytics by Yoast plugin was found by Jouko Pynnönen of Klikki Oy, Finland. Users should update right away.
Details
Missing access control allows an unauthenticated user to modify some of the settings associated with the plug-in. It’s possible overwrite the existing OAuth2 credentials which the plug-in uses for retrieving data from Google Analytics, and thereby connect the plug-in with the attacker’s own Google Analytics account.
Also, the plug-in renders an HTML dropdown menu based on the data downloaded from Google Analytics. This data is not sanitized or HTML-escaped. If the said attacker enters HTML code in the properties in their Google Analytics account settings, it will appear in the WordPress administrative Dashboard of the targeted system and get executed whenever someone views the settings.
It is relatively easy for an attacker to execute server-side code by exploiting this vulnerability. Under default WordPress configuration, a malicious user can use this flaw to write PHP files on the server via the plugin or theme editors.
Alternatively the attacker could change the administrator’s password, create new administrator accounts, or do whatever else the currently logged-in administrator can do on the target site.
Full story here