Can you explain this vulnerability to me?

The ExactMetrics – Google Analytics Dashboard for WordPress plugin versions 7.1.0 through 9.0.2 have a vulnerability related to Improper Privilege Management. The issue arises because the plugin's update_settings() function accepts any plugin setting name without restricting it to a whitelist of allowed settings.

This flaw allows authenticated users who have the exactmetrics_save_settings capability to modify any plugin setting, including the critical save_settings option. This option controls which user roles have access to the plugin's functionality.

An attacker with this capability can escalate privileges by changing the save_settings option to include roles like subscriber, effectively granting administrative access to all subscribers on the site, which was not the intended behavior.

Useful 0 Not Useful 0

How can this vulnerability impact me? :

This vulnerability can lead to privilege escalation within a WordPress site using the ExactMetrics plugin. An attacker who is authenticated and has the exactmetrics_save_settings capability can modify plugin settings to grant administrative access to lower-privileged users, such as subscribers.

As a result, unauthorized users could gain control over the plugin's functionality and potentially the entire WordPress site, leading to a full compromise including data theft, site defacement, or further malware installation.

The CVSS v3.1 base score of 8.8 reflects the high severity of this vulnerability, indicating it is remotely exploitable with low attack complexity and results in high impact on confidentiality, integrity, and availability.

Useful 0 Not Useful 0

How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:

I don't know

Useful 0 Not Useful 0

How can this vulnerability be detected on my network or system? Can you suggest some commands?

This vulnerability involves an authenticated attacker with the capability `exactmetrics_save_settings` modifying plugin settings, including the `save_settings` option that controls user role access. Detection involves checking if the `save_settings` option has been altered to include unauthorized roles such as `subscriber`, which would indicate privilege escalation.

Since the vulnerability is related to WordPress plugin settings, detection can be performed by inspecting the plugin's stored options in the WordPress database, particularly the `save_settings` option of the ExactMetrics plugin.

• Use WP-CLI to check the current value of the `save_settings` option: `wp option get exactmetrics_save_settings`
• Check for unexpected user roles in the `save_settings` option, especially if `subscriber` or other low-privilege roles are present.
• Review user capabilities and roles in WordPress to identify if subscribers or other roles have gained administrative access.

No explicit network commands or automated detection scripts are provided in the available resources.

Useful 0 Not Useful 0

What immediate steps should I take to mitigate this vulnerability?

Immediate mitigation involves restricting the ability to modify sensitive plugin settings to only trusted administrators.

Specifically, ensure that only users with the `manage_options` capability (administrators) can update admin-only settings such as `save_settings`, `view_reports`, and `ignore_users`.

• Update the ExactMetrics plugin to a version that includes the access control fixes preventing non-admin users from modifying admin-only settings.
• Audit and reset the `save_settings` option to remove unauthorized roles like `subscriber` to prevent privilege escalation.
• Review user roles and capabilities to ensure no unauthorized users have elevated privileges.

The plugin code changes enforce sanitization and permission checks on settings updates, rejecting unauthorized attempts to modify admin-only settings.

Useful 0 Not Useful 0