Description
The ExactMetrics – Google Analytics Dashboard for WordPress plugin is vulnerable to Insecure Direct Object Reference in versions 8.6.0 through 9.0.2. This is due to the `store_settings()` method in the `ExactMetrics_Onboarding` class accepting a user-supplied `triggered_by` parameter that is used instead of the current user's ID to check permissions. This makes it possible for authenticated attackers with the `exactmetrics_save_settings` capability to bypass the `install_plugins` capability check by specifying an administrator's user ID in the `triggered_by` parameter, allowing them to install arbitrary plugins and achieve Remote Code Execution. This vulnerability only affects sites on which administrator has given other user types the permission to view reports and can only be exploited by users of that type.
Published: 2026-03-11
Score: 8.8 High
EPSS: < 1% Very Low
KEV: No
Impact: Remote Code Execution
Action: Immediate Patch
AI Analysis

Impact

The ExactMetrics – Google Analytics Dashboard for WordPress plugin is vulnerable to an Insecure Direct Object Reference (IDOR) from versions 8.6.0 to 9.0.2. The vulnerability stems from the store_settings() method in the ExactMetrics_Onboarding class, which accepts a user‑supplied "triggered_by" parameter. Instead of using the current user’s ID, the method checks the supplied ID for the exactmetrics_save_settings capability, bypassing the install_plugins check. This flaw allows an authenticated attacker with the exactmetrics_save_settings capability to supply an administrator’s user ID and install arbitrary plugins, granting the attacker Remote Code Execution on the site. Key detail from the CVE description: “allowing them to install arbitrary plugins and achieve Remote Code Execution.”

Affected Systems

Vendors: smub – ExactMetrics – Google Analytics Dashboard for WordPress. Product: ExactMetrics plugin for WordPress. Affected versions: 8.6.0 through 9.0.2. Users who have been granted the exactmetrics_save_settings capability, typically those with permission to view reports, can exploit this flaw.

Risk and Exploitability

The vulnerability carries a CVSS score of 8.8, indicating high severity. The EPSS score is less than 1%, suggesting a relatively low likelihood of exploitation at this time, and it is not listed in the CISA KEV catalog. Exploitation requires authentication; the attacker must possess the exactmetrics_save_settings capability and be able to specify an administrator’s user ID in the triggered_by parameter. The attack vector is thus likely an authenticated internal attack via the plugin’s settings interface, and the impact is potential Remote Code Execution and compromise of site integrity and confidentiality.

Generated by OpenCVE AI on March 17, 2026 at 14:58 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the ExactMetrics plugin to the latest available release (e.g., version 9.0.3 or later).
  • If an update is not immediately possible, remove the exactmetrics_save_settings capability from non-administrator roles to prevent privilege escalation.
  • Restrict the ability to view reports to administrator roles only, eliminating the user types that can exploit the vulnerability.
  • Audit and verify that user role capabilities have not been inadvertently broadened.
  • Review server and file permissions to ensure that plugin installation directories are not writable by unauthorized users.

Generated by OpenCVE AI on March 17, 2026 at 14:58 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 12 Mar 2026 10:15:00 +0000

Type Values Removed Values Added
First Time appeared Smub
Smub exactmetrics – Google Analytics Dashboard For Wordpress (website Stats Plugin)
Wordpress
Wordpress wordpress
Vendors & Products Smub
Smub exactmetrics – Google Analytics Dashboard For Wordpress (website Stats Plugin)
Wordpress
Wordpress wordpress

Wed, 11 Mar 2026 14:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Wed, 11 Mar 2026 09:45:00 +0000

Type Values Removed Values Added
Description The ExactMetrics – Google Analytics Dashboard for WordPress plugin is vulnerable to Insecure Direct Object Reference in versions 8.6.0 through 9.0.2. This is due to the `store_settings()` method in the `ExactMetrics_Onboarding` class accepting a user-supplied `triggered_by` parameter that is used instead of the current user's ID to check permissions. This makes it possible for authenticated attackers with the `exactmetrics_save_settings` capability to bypass the `install_plugins` capability check by specifying an administrator's user ID in the `triggered_by` parameter, allowing them to install arbitrary plugins and achieve Remote Code Execution. This vulnerability only affects sites on which administrator has given other user types the permission to view reports and can only be exploited by users of that type.
Title ExactMetrics 8.6.0 - 9.0.2 - Authenticated (Custom) Insecure Direct Object Reference to Arbitrary Plugin Installation
Weaknesses CWE-639
References
Metrics cvssV3_1

{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H'}

Subscriptions

Smub Exactmetrics – Google Analytics Dashboard For Wordpress (website Stats Plugin)
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-03-11T13:30:00.851Z

Reserved: 2026-02-05T16:08:52.114Z

Link: CVE-2026-1992

cve-icon Vulnrichment

Updated: 2026-03-11T13:29:51.072Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-03-11T10:16:13.280

Modified: 2026-03-11T13:52:47.683

Link: CVE-2026-1992

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-20T14:37:30Z

Weaknesses