CVE-2026-1992
IDOR in ExactMetrics WordPress Plugin Enables Remote Code Execution
Publication date: 2026-03-11
Last updated on: 2026-03-11
Assigner: Wordfence
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| exactmetrics | google_analytics_dashboard_for_wordpress | From 8.6.0 (inc) to 9.0.2 (inc) |
| exactmetrics | google_analytics_dashboard_for_wordpress | 9.0.3 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-639 | The system's authorization functionality does not prevent one user from gaining access to another user's data or record by modifying the key value identifying the data. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
The ExactMetrics β Google Analytics Dashboard for WordPress plugin has a vulnerability called Insecure Direct Object Reference in versions 8.6.0 through 9.0.2. This happens because the method store_settings() in the ExactMetrics_Onboarding class accepts a user-supplied parameter called triggered_by, which is used to check permissions instead of the current user's ID.
An authenticated attacker who has the exactmetrics_save_settings capability can exploit this by specifying an administrator's user ID in the triggered_by parameter. This bypasses the install_plugins capability check, allowing the attacker to install arbitrary plugins.
By installing arbitrary plugins, the attacker can achieve Remote Code Execution on the affected site. This vulnerability only affects sites where administrators have given other user types permission to view reports, and only those user types can exploit it.
How can this vulnerability impact me? :
This vulnerability can have severe impacts because it allows an attacker with limited permissions to escalate their privileges and install arbitrary plugins.
Once arbitrary plugins are installed, the attacker can execute remote code on the WordPress site, potentially taking full control of the site.
This can lead to unauthorized access, data theft, site defacement, or use of the site for malicious purposes such as distributing malware.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
[{'type': 'paragraph', 'content': 'This vulnerability can be detected by checking if your WordPress site is running the ExactMetrics β Google Analytics Dashboard for WordPress plugin versions 8.6.0 through 9.0.2.'}, {'type': 'paragraph', 'content': 'Specifically, detection involves verifying if users with the capability exactmetrics_save_settings but without install_plugins capability can exploit the store_settings() method by supplying a triggered_by parameter to bypass permission checks.'}, {'type': 'paragraph', 'content': 'To detect potential exploitation attempts or presence of the vulnerability, you can audit your web server logs for REST API calls to the ExactMetrics onboarding endpoints, especially POST requests to /wp-json/exactmetrics/v1/onboarding/settings that include the triggered_by parameter.'}, {'type': 'paragraph', 'content': 'Suggested commands to detect the plugin version and suspicious requests include:'}, {'type': 'list_item', 'content': 'Check the installed plugin version via WP-CLI: wp plugin list --status=active | grep exactmetrics'}, {'type': 'list_item', 'content': "Search web server logs for suspicious REST API calls with triggered_by parameter: grep -i 'wp-json/exactmetrics/v1/onboarding/settings' /var/log/apache2/access.log | grep 'triggered_by='"}, {'type': 'list_item', 'content': 'Audit WordPress user capabilities to identify users with exactmetrics_save_settings capability but without install_plugins capability.'}] [2, 3]
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include:
- Update the ExactMetrics β Google Analytics Dashboard for WordPress plugin to version 9.0.3 or later, where the vulnerability has been fixed by enforcing proper permission checks and validation of the triggered_by parameter.
- Restrict permissions so that only trusted administrator users have the capability to view reports or save ExactMetrics settings, preventing lower-privileged users from exploiting the vulnerability.
- Monitor and restrict REST API access to the ExactMetrics onboarding endpoints, especially POST requests to /wp-json/exactmetrics/v1/onboarding/settings.
- If immediate update is not possible, consider temporarily disabling the ExactMetrics plugin or removing the exactmetrics_save_settings capability from non-administrator users.