Executive Summary

The ExactMetrics – Google Analytics Dashboard for WordPress plugin has a vulnerability called Insecure Direct Object Reference in versions 8.6.0 through 9.0.2. This happens because the method store_settings() in the ExactMetrics_Onboarding class accepts a user-supplied parameter called triggered_by, which is used to check permissions instead of the current user's ID.

An authenticated attacker who has the exactmetrics_save_settings capability can exploit this by specifying an administrator's user ID in the triggered_by parameter. This bypasses the install_plugins capability check, allowing the attacker to install arbitrary plugins.

By installing arbitrary plugins, the attacker can achieve Remote Code Execution on the affected site. This vulnerability only affects sites where administrators have given other user types permission to view reports, and only those user types can exploit it.

Useful 0 Not Useful 0

Impact Analysis

This vulnerability can have severe impacts because it allows an attacker with limited permissions to escalate their privileges and install arbitrary plugins.

Once arbitrary plugins are installed, the attacker can execute remote code on the WordPress site, potentially taking full control of the site.

This can lead to unauthorized access, data theft, site defacement, or use of the site for malicious purposes such as distributing malware.

Useful 0 Not Useful 0

Compliance Impact

I don't know

Useful 0 Not Useful 0

Detection Guidance

[{'type': 'paragraph', 'content': 'This vulnerability can be detected by checking if your WordPress site is running the ExactMetrics – Google Analytics Dashboard for WordPress plugin versions 8.6.0 through 9.0.2.'}, {'type': 'paragraph', 'content': 'Specifically, detection involves verifying if users with the capability exactmetrics_save_settings but without install_plugins capability can exploit the store_settings() method by supplying a triggered_by parameter to bypass permission checks.'}, {'type': 'paragraph', 'content': 'To detect potential exploitation attempts or presence of the vulnerability, you can audit your web server logs for REST API calls to the ExactMetrics onboarding endpoints, especially POST requests to /wp-json/exactmetrics/v1/onboarding/settings that include the triggered_by parameter.'}, {'type': 'paragraph', 'content': 'Suggested commands to detect the plugin version and suspicious requests include:'}, {'type': 'list_item', 'content': 'Check the installed plugin version via WP-CLI: wp plugin list --status=active | grep exactmetrics'}, {'type': 'list_item', 'content': "Search web server logs for suspicious REST API calls with triggered_by parameter: grep -i 'wp-json/exactmetrics/v1/onboarding/settings' /var/log/apache2/access.log | grep 'triggered_by='"}, {'type': 'list_item', 'content': 'Audit WordPress user capabilities to identify users with exactmetrics_save_settings capability but without install_plugins capability.'}] [2, 3]

Useful 0 Not Useful 0

Mitigation Strategies

Immediate mitigation steps include:

• Update the ExactMetrics – Google Analytics Dashboard for WordPress plugin to version 9.0.3 or later, where the vulnerability has been fixed by enforcing proper permission checks and validation of the triggered_by parameter.
• Restrict permissions so that only trusted administrator users have the capability to view reports or save ExactMetrics settings, preventing lower-privileged users from exploiting the vulnerability.
• Monitor and restrict REST API access to the ExactMetrics onboarding endpoints, especially POST requests to /wp-json/exactmetrics/v1/onboarding/settings.
• If immediate update is not possible, consider temporarily disabling the ExactMetrics plugin or removing the exactmetrics_save_settings capability from non-administrator users.

Useful 0 Not Useful 0