CVE-2026-1993
Description
The ExactMetrics – Google Analytics Dashboard for WordPress plugin is vulnerable to Improper Privilege Management in versions 7.1.0 through 9.0.2. This is due to the update_settings() function accepting arbitrary plugin setting names without a whitelist of allowed settings. This makes it possible for authenticated attackers with the exactmetrics_save_settings capability to modify any plugin setting, including the save_settings option that controls which user roles have access to plugin functionality. The admin intended to delegate configuration access to a trusted user, not enable that user to delegate access to everyone. By setting save_settings to include subscriber, an attacker can grant plugin administrative access to all subscribers on the site.
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
5- plugins.trac.wordpress.org/browser/google-analytics-dashboard-for-wp/tags/7.15.3/includes/admin/routes.phpnvd
- plugins.trac.wordpress.org/browser/google-analytics-dashboard-for-wp/trunk/includes/admin/routes.phpnvd
- plugins.trac.wordpress.org/changeset/3473805/google-analytics-dashboard-for-wp/trunk/includes/admin/routes.phpnvd
- plugins.trac.wordpress.org/changeset/3473805/google-analytics-dashboard-for-wp/trunk/includes/capabilities.phpnvd
- www.wordfence.com/threat-intel/vulnerabilities/id/1c1ce474-ecce-4d21-b174-cb54a2441b2bnvd
News mentions
0No linked articles in our index yet.