Description
The ExactMetrics – Google Analytics Dashboard for WordPress (Website Stats Plugin) plugin for WordPress is vulnerable to unauthorized arbitrary plugin installation and activation in all versions up to, and including, 9.1.2. This is due to the reports page exposing the 'onboarding_key' transient to any user with the 'exactmetrics_view_dashboard' capability. This key is the sole authorization gate for the '/wp-json/exactmetrics/v1/onboarding/connect-url' REST endpoint, which returns a one-time hash (OTH) token. This OTH token is then the only credential checked by the 'exactmetrics_connect_process' AJAX endpoint — which has no capability check, no nonce verification, and accepts an arbitrary plugin ZIP URL via the file parameter for installation and activation. This makes it possible for authenticated attackers, with Editor-level access and above granted the report viewing permission, to install and activate arbitrary plugins from attacker-controlled URLs, leading to Remote Code Execution.
Published: 2026-04-23
Score: 7.2 High
EPSS: < 1% Very Low
KEV: No
Impact: Remote Code Execution
Action: Immediate Patch
AI Analysis

Impact

A broken access control flaw (CWE-862) allows an authenticated user who has the exactmetrics_view_dashboard capability—which includes editors and higher—to request a one‑time hash token from a REST endpoint. That token is the only credential verified by an AJAX endpoint that accepts an arbitrary plugin ZIP URL. Because this endpoint lacks capability checks or nonce validation, it can be used to download and install any plugin code supplied by the attacker, directly enabling remote code execution on the WordPress installation.

Affected Systems

ExactMetrics – Google Analytics Dashboard for WordPress plugins for WordPress sites, specifically all releases up to and including version 9.1.2, are impacted. Sites that have updated to later releases that have removed the vulnerable onboarding and plugin‑installation hooks are not affected.

Risk and Exploitability

The CVSS base score of 7.2 highlights a high severity flaw, while the EPSS score of less than 1% indicates a low current exploitation probability and the vulnerability is not listed in CISA’s KEV catalog. Nevertheless, because any editor‑level account can obtain the token and invoke the insecure AJAX endpoint, the risk of compromising the site’s integrity and confidentiality remains significant. An attacker with such access can introduce arbitrary PHP, exfiltrate sensitive data, deface content, or pivot to other systems.

Generated by OpenCVE AI on April 28, 2026 at 14:56 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update ExactMetrics to a version newer than 9.1.2 that removes the vulnerable onboarding token usage and the unchecked AJAX endpoint.
  • Revoke the exactmetrics_view_dashboard capability from editor accounts, limiting report viewing to administrators only so that only privileged users can trigger the token generation logic.
  • If an immediate update is not feasible, disable the insecure AJAX endpoint by configuring the plugin to development mode or by removing the file parameter handling from the exactmetrics_connect_process function.

Generated by OpenCVE AI on April 28, 2026 at 14:56 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 28 Apr 2026 02:15:00 +0000

Type Values Removed Values Added
First Time appeared Smub
Smub exactmetrics – Google Analytics Dashboard For Wordpress (website Stats Plugin)
Wordpress
Wordpress wordpress
Vendors & Products Smub
Smub exactmetrics – Google Analytics Dashboard For Wordpress (website Stats Plugin)
Wordpress
Wordpress wordpress

Thu, 23 Apr 2026 15:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Thu, 23 Apr 2026 10:00:00 +0000

Type Values Removed Values Added
Description The ExactMetrics – Google Analytics Dashboard for WordPress (Website Stats Plugin) plugin for WordPress is vulnerable to unauthorized arbitrary plugin installation and activation in all versions up to, and including, 9.1.2. This is due to the reports page exposing the 'onboarding_key' transient to any user with the 'exactmetrics_view_dashboard' capability. This key is the sole authorization gate for the '/wp-json/exactmetrics/v1/onboarding/connect-url' REST endpoint, which returns a one-time hash (OTH) token. This OTH token is then the only credential checked by the 'exactmetrics_connect_process' AJAX endpoint — which has no capability check, no nonce verification, and accepts an arbitrary plugin ZIP URL via the file parameter for installation and activation. This makes it possible for authenticated attackers, with Editor-level access and above granted the report viewing permission, to install and activate arbitrary plugins from attacker-controlled URLs, leading to Remote Code Execution.
Title ExactMetrics <= 9.1.2 - Authenticated (Editor+) Arbitrary Plugin Installation/Activation via exactmetrics_connect_process
Weaknesses CWE-862
References
Metrics cvssV3_1

{'score': 7.2, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H'}

Subscriptions

Smub Exactmetrics – Google Analytics Dashboard For Wordpress (website Stats Plugin)
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-23T14:51:03.156Z

Reserved: 2026-04-03T05:53:05.632Z

Link: CVE-2026-5464

cve-icon Vulnrichment

Updated: 2026-04-23T14:50:58.656Z

cve-icon NVD

Status : Deferred

Published: 2026-04-23T10:16:18.077

Modified: 2026-04-23T14:28:55.557

Link: CVE-2026-5464

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-28T15:00:14Z

Weaknesses