CVE-2026-1993

The ExactMetrics – Google Analytics Dashboard for WordPress plugin is vulnerable to Improper Privilege Management in versions 7.1.0 through 9.0.2. This is due to the `update_settings()` function accepting arbitrary plugin setting names without a whitelist of allowed settings. This makes it possible for authenticated attackers with the `exactmetrics_save_settings` capability to modify any plugin setting, including the `save_settings` option that controls which user roles have access to plugin functionality. The admin intended to delegate configuration access to a trusted user, not enable that user to delegate access to everyone. By setting `save_settings` to include `subscriber`, an attacker can grant plugin administrative access to all subscribers on the site.

CVSS v3 8.8 HIGH

8.8^/10

CVSS v3 : HIGH

V3 Legend

Vector :

Exploitability : 2.8 / Impact : 5.9

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required LOW

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope UNCHANGED

References

Link	Resource
https://plugins.trac.wordpress.org/browser/google-analytics-dashboard-for-wp/tags/7.15.3/includes/admin/routes.php#L201
https://plugins.trac.wordpress.org/browser/google-analytics-dashboard-for-wp/trunk/includes/admin/routes.php#L201
https://plugins.trac.wordpress.org/changeset/3473805/google-analytics-dashboard-for-wp/trunk/includes/admin/routes.php?old=3453934&old_path=google-analytics-dashboard-for-wp%2Ftrunk%2Fincludes%2Fadmin%2Froutes.php
https://plugins.trac.wordpress.org/changeset/3473805/google-analytics-dashboard-for-wp/trunk/includes/capabilities.php?old=2897321&old_path=google-analytics-dashboard-for-wp%2Ftrunk%2Fincludes%2Fcapabilities.php
https://www.wordfence.com/threat-intel/vulnerabilities/id/1c1ce474-ecce-4d21-b174-cb54a2441b2b?source=cve

Configurations

No configuration.

History

22 Apr 2026, 21:27

Type	Values Removed	Values Added
Summary		(es) El plugin ExactMetrics – Google Analytics Dashboard para WordPress es vulnerable a la Gestión Inadecuada de Privilegios en las versiones 7.1.0 a la 9.0.2. Esto se debe a que la función 'update_settings()' acepta nombres de configuración de plugin arbitrarios sin una lista blanca de configuraciones permitidas. Esto permite que atacantes autenticados con la capacidad 'exactmetrics_save_settings' modifiquen cualquier configuración del plugin, incluida la opción 'save_settings' que controla qué roles de usuario tienen acceso a la funcionalidad del plugin. El administrador tenía la intención de delegar el acceso a la configuración a un usuario de confianza, no de permitir que ese usuario delegara el acceso a todos. Al configurar 'save_settings' para incluir 'subscriber', un atacante puede otorgar acceso administrativo al plugin a todos los suscriptores del sitio.

11 Mar 2026, 10:16

Type	Values Removed	Values Added
New CVE

Information

Published : 2026-03-11 10:16

Updated : 2026-04-22 21:27

NVD link : CVE-2026-1993

Mitre link : CVE-2026-1993

CVE.ORG link : CVE-2026-1993

JSON object : View

Products Affected

No product.

CWE

CWE-269

Improper Privilege Management

8.8 /10