Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
8.8
ExactMetrics Plugin Allows Malicious Users to Gain Admin Access
CVE-2026-1993
Summary
The ExactMetrics plugin for WordPress has a bug that lets an attacker with normal user permissions become an admin. This can happen if a well-meaning admin accidentally gives the wrong permission to a user. To fix this, update the ExactMetrics plugin to version 9.0.3 or later.
Original title
The ExactMetrics – Google Analytics Dashboard for WordPress plugin is vulnerable to Improper Privilege Management in versions 7.1.0 through 9.0.2. This is due to the `update_settings()` function ac...
Original description
The ExactMetrics – Google Analytics Dashboard for WordPress plugin is vulnerable to Improper Privilege Management in versions 7.1.0 through 9.0.2. This is due to the `update_settings()` function accepting arbitrary plugin setting names without a whitelist of allowed settings. This makes it possible for authenticated attackers with the `exactmetrics_save_settings` capability to modify any plugin setting, including the `save_settings` option that controls which user roles have access to plugin functionality. The admin intended to delegate configuration access to a trusted user, not enable that user to delegate access to everyone. By setting `save_settings` to include `subscriber`, an attacker can grant plugin administrative access to all subscribers on the site.
nvd CVSS3.1
8.8
Vulnerability type
CWE-269
Improper Privilege Management
- https://plugins.trac.wordpress.org/browser/google-analytics-dashboard-for-wp/tag...
- https://plugins.trac.wordpress.org/browser/google-analytics-dashboard-for-wp/tru...
- https://plugins.trac.wordpress.org/changeset/3473805/google-analytics-dashboard-...
- https://plugins.trac.wordpress.org/changeset/3473805/google-analytics-dashboard-...
- https://www.wordfence.com/threat-intel/vulnerabilities/id/1c1ce474-ecce-4d21-b17...
Published: 11 Mar 2026 · Updated: 13 Mar 2026 · First seen: 11 Mar 2026