VYPR
High severity8.8NVD Advisory· Published Mar 11, 2026· Updated Apr 22, 2026

CVE-2026-1993

CVE-2026-1993

Description

The ExactMetrics – Google Analytics Dashboard for WordPress plugin is vulnerable to Improper Privilege Management in versions 7.1.0 through 9.0.2. This is due to the update_settings() function accepting arbitrary plugin setting names without a whitelist of allowed settings. This makes it possible for authenticated attackers with the exactmetrics_save_settings capability to modify any plugin setting, including the save_settings option that controls which user roles have access to plugin functionality. The admin intended to delegate configuration access to a trusted user, not enable that user to delegate access to everyone. By setting save_settings to include subscriber, an attacker can grant plugin administrative access to all subscribers on the site.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Affected products

2

Patches

Vulnerability mechanics

References

5

News mentions

0

No linked articles in our index yet.