Want to follow updates from Weeblr.com about our extensions, but too many news, too many blogs to read?

Many of our blog posts are also produced as podcast episodes so paste this link into your favorite podcast app, or search for The Weeblr blasts on Apple Podcasts, Spotify, Google Podcasts, PocketCasts and several other platforms and you won't miss an update detail at most convenient time for you!

4Analytics main dashboard with chart, data and AI analysis

Critical vulnerabilities in 4Analytics

Hi all,

During a routine security audit yesterday, I uncovered two critical vulnerabilities in 4Analytics, our private analytics extension.

While the issues will not be triggered on all websites, they can lead to an entire website takeover by attackers and therefore require an immediate update to 4Analytics version 5.0.2, released today.

Do not wait; update immediately.

The short story

  • The attacker does not need to be authenticated; these are critical vulnerabilities (one with high risk, one with low risk).
  • Applies to all versions of 4Analytics.
  • They were self-discovered, not zero-days, and there are no reports of them being actively used.
  • Tracked under CVE-2026-57833 and CVE-2026-58077

What happened?

These are self-discovered and likely not actively used, so I will provide details seven days from now to allow more time for you to update.

What happened? Small things; as usual, they are very easy to overlook. Over the course of 4Analytics' lifetime—which is only 18 months—I ran several code audits, including AI-based ones, but these were not caught.

Since the start of June, we have been hearing about many serious vulnerabilities in multiple Joomla extensions (and even more WordPress ones), so I figured it would be a good time to review the matter again (with a helpful reminder from one user on the helpdesk).

We now have modern AI tools available that can be both quick and thorough. While all other extensions passed the audits, 4Analytics did not, and I am sorry about that.

The last time I had a (serious) security issue was around 2008, in sh404SEF. I did not like it then and I do not like it now, both for you and for myself.

At the end of last year, when I last ran AI tools to find vulnerabilities, their output was not useful. They are much better now (as evidenced by all that has happened over the last couple of months in Joomla and WordPress), and so, from now on, security audit runs will be systematic.

Let me apologise again to all 4Analytics users, and rest assured I will keep doing all I can to avoid such an outcome in the future for all my extensions. 

Cheers,

Yannick