CVE-2026-1992
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Summary
The ExactMetrics – Google Analytics Dashboard for WordPress plugin is vulnerable to Insecure Direct Object Reference in versions 8.6.0 through 9.0.2. This is due to the store_settings() method in the ExactMetrics_Onboarding class accepting a user-supplied triggered_by parameter that is used instead of the current user's ID to check permissions. This makes it possible for authenticated attackers with the exactmetrics_save_settings capability to bypass the install_plugins capability check by specifying an administrator's user ID in the triggered_by parameter, allowing them to install arbitrary plugins and achieve Remote Code Execution. This vulnerability only affects sites on which administrator has given other user types the permission to view reports and can only be exploited by users of that type.
Affected Software
| Vendor | Product | Version Range | Status |
|---|---|---|---|
| smub | ExactMetrics – Google Analytics Dashboard for WordPress (Website Stats Plugin) | 8.0.0 <= 9.0.2 | affected |
Weaknesses
- CWE-639: CWE-639 Authorization Bypass Through User-Controlled Key
ADP Enrichment
CISA ADP Vulnrichment
- SSVC:
- Exploitation: none
- Automatable: no
- Technical Impact: total
References
- https://www.wordfence.com/threat-intel/vulnerabilities/id/79b6b896-df66-4c3d-a4d4-d3dbeb630134?source=cve
- https://plugins.trac.wordpress.org/browser/google-analytics-dashboard-for-wp/trunk/includes/admin/class-exactmetrics-onboarding.php#L273
- https://plugins.trac.wordpress.org/changeset/3473805/google-analytics-dashboard-for-wp/trunk/includes/admin/class-exactmetrics-onboarding.php?old=3309894&old_path=google-analytics-dashboard-for-wp%2Ftrunk%2Fincludes%2Fadmin%2Fclass-exactmetrics-onboarding.php
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.