Description
The ExactMetrics – Google Analytics Dashboard for WordPress plugin is vulnerable to Improper Privilege Management in versions 7.1.0 through 9.0.2. This is due to the `update_settings()` function accepting arbitrary plugin setting names without a whitelist of allowed settings. This makes it possible for authenticated attackers with the `exactmetrics_save_settings` capability to modify any plugin setting, including the `save_settings` option that controls which user roles have access to plugin functionality. The admin intended to delegate configuration access to a trusted user, not enable that user to delegate access to everyone. By setting `save_settings` to include `subscriber`, an attacker can grant plugin administrative access to all subscribers on the site.
Published: 2026-03-11
Score: 8.8 High
EPSS: < 1% Very Low
KEV: No
Impact: Privilege Escalation
Action: Patch Now
AI Analysis

Impact

The ExactMetrics – Google Analytics Dashboard for WordPress plugin is vulnerable to Improper Privilege Management (CWE-269). The `update_settings()` function accepts arbitrary plugin setting names without a whitelist, allowing an authenticated user with the `exactmetrics_save_settings` capability to modify any plugin setting. By changing the `save_settings` option to include the subscriber role, an attacker can grant administrative access to the plugin to all subscribers, effectively escalating privileges within the site.

Affected Systems

The vulnerability affects the ExactMetrics plugin for WordPress, versions 7.1.0 through 9.0.2, as distributed by smub:ExactMetrics. Any site running one of these versions is impacted.

Risk and Exploitability

The CVSS base score of 8.8 indicates high severity, and the EPSS score of less than 1% suggests a low current exploitation probability. The vulnerability is not listed in the CISA KEV catalog. Exploitation requires a user to be authenticated with the `exactmetrics_save_settings` capability and to invoke the `update_settings()` endpoint; no publicly available exploits have been reported.

Generated by OpenCVE AI on March 17, 2026 at 16:02 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade ExactMetrics to a fixed version (e.g., 9.0.3 or later if available).
  • If an immediate upgrade is not possible, remove the `exactmetrics_save_settings` capability from all non-administrator roles and retain it only for trusted administrators.
  • Verify that the `save_settings` option does not include unintended roles such as subscriber.
  • Monitor authentication logs and role assignment changes for suspicious activity and review plugin settings regularly.

Generated by OpenCVE AI on March 17, 2026 at 16:02 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 12 Mar 2026 10:15:00 +0000

Type Values Removed Values Added
First Time appeared Smub
Smub exactmetrics – Google Analytics Dashboard For Wordpress (website Stats Plugin)
Wordpress
Wordpress wordpress
Vendors & Products Smub
Smub exactmetrics – Google Analytics Dashboard For Wordpress (website Stats Plugin)
Wordpress
Wordpress wordpress

Wed, 11 Mar 2026 14:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Wed, 11 Mar 2026 09:45:00 +0000

Type Values Removed Values Added
Description The ExactMetrics – Google Analytics Dashboard for WordPress plugin is vulnerable to Improper Privilege Management in versions 7.1.0 through 9.0.2. This is due to the `update_settings()` function accepting arbitrary plugin setting names without a whitelist of allowed settings. This makes it possible for authenticated attackers with the `exactmetrics_save_settings` capability to modify any plugin setting, including the `save_settings` option that controls which user roles have access to plugin functionality. The admin intended to delegate configuration access to a trusted user, not enable that user to delegate access to everyone. By setting `save_settings` to include `subscriber`, an attacker can grant plugin administrative access to all subscribers on the site.
Title ExactMetrics 7.1.0 - 9.0.2 - Authenticated (Custom) Improper Privilege Management to Role Privilege Escalation via Settings Update
Weaknesses CWE-269
References
Metrics cvssV3_1

{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H'}

Subscriptions

Smub Exactmetrics – Google Analytics Dashboard For Wordpress (website Stats Plugin)
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-03-11T13:28:36.760Z

Reserved: 2026-02-05T16:26:24.468Z

Link: CVE-2026-1993

cve-icon Vulnrichment

Updated: 2026-03-11T13:28:23.188Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-03-11T10:16:13.673

Modified: 2026-03-11T13:52:47.683

Link: CVE-2026-1993

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-20T14:37:31Z

Weaknesses