CVE-2026-1992

{"id": "CVE-2026-1992", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Primary", "source": "security@wordfence.com", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 8.8, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}, "impactScore": 5.9, "exploitabilityScore": 2.8}]}, "published": "2026-03-11T10:16:13.280", "references": [{"url": "https://plugins.trac.wordpress.org/browser/google-analytics-dashboard-for-wp/trunk/includes/admin/class-exactmetrics-onboarding.php#L273", "source": "security@wordfence.com"}, {"url": "https://plugins.trac.wordpress.org/changeset/3473805/google-analytics-dashboard-for-wp/trunk/includes/admin/class-exactmetrics-onboarding.php?old=3309894&old_path=google-analytics-dashboard-for-wp%2Ftrunk%2Fincludes%2Fadmin%2Fclass-exactmetrics-onboarding.php", "source": "security@wordfence.com"}, {"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/79b6b896-df66-4c3d-a4d4-d3dbeb630134?source=cve", "source": "security@wordfence.com"}], "vulnStatus": "Deferred", "weaknesses": [{"type": "Primary", "source": "security@wordfence.com", "description": [{"lang": "en", "value": "CWE-639"}]}], "descriptions": [{"lang": "en", "value": "The ExactMetrics \u2013 Google Analytics Dashboard for WordPress plugin is vulnerable to Insecure Direct Object Reference in versions 8.6.0 through 9.0.2. This is due to the `store_settings()` method in the `ExactMetrics_Onboarding` class accepting a user-supplied `triggered_by` parameter that is used instead of the current user's ID to check permissions. This makes it possible for authenticated attackers with the `exactmetrics_save_settings` capability to bypass the `install_plugins` capability check by specifying an administrator's user ID in the `triggered_by` parameter, allowing them to install arbitrary plugins and achieve Remote Code Execution. This vulnerability only affects sites on which administrator has given other user types the permission to view reports and can only be exploited by users of that type."}, {"lang": "es", "value": "El plugin ExactMetrics \u2013 Google Analytics Dashboard para WordPress es vulnerable a Referencia Directa Insegura a Objeto en las versiones 8.6.0 a 9.0.2. Esto se debe a que el m\u00e9todo 'store_settings()' en la clase 'ExactMetrics_Onboarding' acepta un par\u00e1metro 'triggered_by' proporcionado por el usuario que se utiliza en lugar del ID del usuario actual para verificar permisos. Esto hace posible que atacantes autenticados con la capacidad 'exactmetrics_save_settings' omitan la verificaci\u00f3n de capacidad 'install_plugins' al especificar el ID de usuario de un administrador en el par\u00e1metro 'triggered_by', permiti\u00e9ndoles instalar plugins arbitrarios y lograr la ejecuci\u00f3n remota de c\u00f3digo. Esta vulnerabilidad solo afecta a los sitios en los que el administrador ha otorgado a otros tipos de usuario el permiso para ver informes y solo puede ser explotada por usuarios de ese tipo."}], "lastModified": "2026-04-22T21:27:27.950", "sourceIdentifier": "security@wordfence.com"}