CVE-2026-5464 (GCVE-0-2026-5464)

Vulnerability from cvelistv5 – Published: 2026-04-23 08:28 – Updated: 2026-04-23 14:51
VLAI?
Title
ExactMetrics <= 9.1.2 - Authenticated (Editor+) Arbitrary Plugin Installation/Activation via exactmetrics_connect_process
Summary
The ExactMetrics – Google Analytics Dashboard for WordPress (Website Stats Plugin) plugin for WordPress is vulnerable to unauthorized arbitrary plugin installation and activation in all versions up to, and including, 9.1.2. This is due to the reports page exposing the 'onboarding_key' transient to any user with the 'exactmetrics_view_dashboard' capability. This key is the sole authorization gate for the '/wp-json/exactmetrics/v1/onboarding/connect-url' REST endpoint, which returns a one-time hash (OTH) token. This OTH token is then the only credential checked by the 'exactmetrics_connect_process' AJAX endpoint — which has no capability check, no nonce verification, and accepts an arbitrary plugin ZIP URL via the file parameter for installation and activation. This makes it possible for authenticated attackers, with Editor-level access and above granted the report viewing permission, to install and activate arbitrary plugins from attacker-controlled URLs, leading to Remote Code Execution.
Severity ?
7.2 (High)
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
CWE
Assigner
References
Impacted products
Vendor Product Version
smub ExactMetrics – Google Analytics Dashboard for WordPress (Website Stats Plugin) Affected: 0 , ≤ 9.1.2 (semver)
Create a notification for this product.
Credits
Nguyen Ngoc Duc
Show details on NVD website
To clipboard 

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-5464",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-04-23T14:50:46.837686Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-04-23T14:51:03.156Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "ExactMetrics \u2013 Google Analytics Dashboard for WordPress (Website Stats Plugin)",
          "vendor": "smub",
          "versions": [
            {
              "lessThanOrEqual": "9.1.2",
              "status": "affected",
              "version": "0",
              "versionType": "semver"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "type": "finder",
          "value": "Nguyen Ngoc Duc"
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "The ExactMetrics \u2013 Google Analytics Dashboard for WordPress (Website Stats Plugin) plugin for WordPress is vulnerable to unauthorized arbitrary plugin installation and activation in all versions up to, and including, 9.1.2. This is due to the reports page exposing the \u0027onboarding_key\u0027 transient to any user with the \u0027exactmetrics_view_dashboard\u0027 capability. This key is the sole authorization gate for the \u0027/wp-json/exactmetrics/v1/onboarding/connect-url\u0027 REST endpoint, which returns a one-time hash (OTH) token. This OTH token is then the only credential checked by the \u0027exactmetrics_connect_process\u0027 AJAX endpoint \u2014 which has no capability check, no nonce verification, and accepts an arbitrary plugin ZIP URL via the file parameter for installation and activation. This makes it possible for authenticated attackers, with Editor-level access and above granted the report viewing permission, to install and activate arbitrary plugins from attacker-controlled URLs, leading to Remote Code Execution."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "baseScore": 7.2,
            "baseSeverity": "HIGH",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-862",
              "description": "CWE-862 Missing Authorization",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-04-23T08:28:25.836Z",
        "orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
        "shortName": "Wordfence"
      },
      "references": [
        {
          "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/09127277-9e71-484d-b674-52af693c995b?source=cve"
        },
        {
          "url": "https://plugins.trac.wordpress.org/browser/google-analytics-dashboard-for-wp/tags/9.1.1/includes/connect.php#L27"
        },
        {
          "url": "https://plugins.trac.wordpress.org/browser/google-analytics-dashboard-for-wp/tags/9.1.1/includes/connect.php#L219"
        },
        {
          "url": "https://plugins.trac.wordpress.org/browser/google-analytics-dashboard-for-wp/tags/9.1.1/includes/admin/class-exactmetrics-onboarding.php#L109"
        },
        {
          "url": "https://plugins.trac.wordpress.org/browser/google-analytics-dashboard-for-wp/tags/9.1.1/includes/admin/admin-assets.php#L932"
        }
      ],
      "timeline": [
        {
          "lang": "en",
          "time": "2026-04-03T06:10:01.000Z",
          "value": "Vendor Notified"
        },
        {
          "lang": "en",
          "time": "2026-04-22T19:44:42.000Z",
          "value": "Disclosed"
        }
      ],
      "title": "ExactMetrics \u003c= 9.1.2 - Authenticated (Editor+) Arbitrary Plugin Installation/Activation via exactmetrics_connect_process"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
    "assignerShortName": "Wordfence",
    "cveId": "CVE-2026-5464",
    "datePublished": "2026-04-23T08:28:25.836Z",
    "dateReserved": "2026-04-03T05:53:05.632Z",
    "dateUpdated": "2026-04-23T14:51:03.156Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2",
  "vulnerability-lookup:meta": {
    "epss": {
      "cve": "CVE-2026-5464",
      "date": "2026-04-23",
      "epss": "0.00178",
      "percentile": "0.39379"
    },
    "nvd": "{\"cve\":{\"id\":\"CVE-2026-5464\",\"sourceIdentifier\":\"security@wordfence.com\",\"published\":\"2026-04-23T10:16:18.077\",\"lastModified\":\"2026-04-23T14:28:55.557\",\"vulnStatus\":\"Deferred\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"The ExactMetrics \u2013 Google Analytics Dashboard for WordPress (Website Stats Plugin) plugin for WordPress is vulnerable to unauthorized arbitrary plugin installation and activation in all versions up to, and including, 9.1.2. This is due to the reports page exposing the \u0027onboarding_key\u0027 transient to any user with the \u0027exactmetrics_view_dashboard\u0027 capability. This key is the sole authorization gate for the \u0027/wp-json/exactmetrics/v1/onboarding/connect-url\u0027 REST endpoint, which returns a one-time hash (OTH) token. This OTH token is then the only credential checked by the \u0027exactmetrics_connect_process\u0027 AJAX endpoint \u2014 which has no capability check, no nonce verification, and accepts an arbitrary plugin ZIP URL via the file parameter for installation and activation. This makes it possible for authenticated attackers, with Editor-level access and above granted the report viewing permission, to install and activate arbitrary plugins from attacker-controlled URLs, leading to Remote Code Execution.\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"security@wordfence.com\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H\",\"baseScore\":7.2,\"baseSeverity\":\"HIGH\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"HIGH\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":1.2,\"impactScore\":5.9}]},\"weaknesses\":[{\"source\":\"security@wordfence.com\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-862\"}]}],\"references\":[{\"url\":\"https://plugins.trac.wordpress.org/browser/google-analytics-dashboard-for-wp/tags/9.1.1/includes/admin/admin-assets.php#L932\",\"source\":\"security@wordfence.com\"},{\"url\":\"https://plugins.trac.wordpress.org/browser/google-analytics-dashboard-for-wp/tags/9.1.1/includes/admin/class-exactmetrics-onboarding.php#L109\",\"source\":\"security@wordfence.com\"},{\"url\":\"https://plugins.trac.wordpress.org/browser/google-analytics-dashboard-for-wp/tags/9.1.1/includes/connect.php#L219\",\"source\":\"security@wordfence.com\"},{\"url\":\"https://plugins.trac.wordpress.org/browser/google-analytics-dashboard-for-wp/tags/9.1.1/includes/connect.php#L27\",\"source\":\"security@wordfence.com\"},{\"url\":\"https://www.wordfence.com/threat-intel/vulnerabilities/id/09127277-9e71-484d-b674-52af693c995b?source=cve\",\"source\":\"security@wordfence.com\"}]}}",
    "vulnrichment": {
      "containers": "{\"cna\": {\"providerMetadata\": {\"orgId\": \"b15e7b5b-3da4-40ae-a43c-f7aa60e62599\", \"shortName\": \"Wordfence\", \"dateUpdated\": \"2026-04-23T08:28:25.836Z\"}, \"affected\": [{\"vendor\": \"smub\", \"product\": \"ExactMetrics \\u2013 Google Analytics Dashboard for WordPress (Website Stats Plugin)\", \"versions\": [{\"version\": \"0\", \"status\": \"affected\", \"lessThanOrEqual\": \"9.1.2\", \"versionType\": \"semver\"}], \"defaultStatus\": \"unaffected\"}], \"descriptions\": [{\"lang\": \"en\", \"value\": \"The ExactMetrics \\u2013 Google Analytics Dashboard for WordPress (Website Stats Plugin) plugin for WordPress is vulnerable to unauthorized arbitrary plugin installation and activation in all versions up to, and including, 9.1.2. This is due to the reports page exposing the \u0027onboarding_key\u0027 transient to any user with the \u0027exactmetrics_view_dashboard\u0027 capability. This key is the sole authorization gate for the \u0027/wp-json/exactmetrics/v1/onboarding/connect-url\u0027 REST endpoint, which returns a one-time hash (OTH) token. This OTH token is then the only credential checked by the \u0027exactmetrics_connect_process\u0027 AJAX endpoint \\u2014 which has no capability check, no nonce verification, and accepts an arbitrary plugin ZIP URL via the file parameter for installation and activation. This makes it possible for authenticated attackers, with Editor-level access and above granted the report viewing permission, to install and activate arbitrary plugins from attacker-controlled URLs, leading to Remote Code Execution.\"}], \"title\": \"ExactMetrics \u003c= 9.1.2 - Authenticated (Editor+) Arbitrary Plugin Installation/Activation via exactmetrics_connect_process\", \"references\": [{\"url\": \"https://www.wordfence.com/threat-intel/vulnerabilities/id/09127277-9e71-484d-b674-52af693c995b?source=cve\"}, {\"url\": \"https://plugins.trac.wordpress.org/browser/google-analytics-dashboard-for-wp/tags/9.1.1/includes/connect.php#L27\"}, {\"url\": \"https://plugins.trac.wordpress.org/browser/google-analytics-dashboard-for-wp/tags/9.1.1/includes/connect.php#L219\"}, {\"url\": \"https://plugins.trac.wordpress.org/browser/google-analytics-dashboard-for-wp/tags/9.1.1/includes/admin/class-exactmetrics-onboarding.php#L109\"}, {\"url\": \"https://plugins.trac.wordpress.org/browser/google-analytics-dashboard-for-wp/tags/9.1.1/includes/admin/admin-assets.php#L932\"}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"description\": \"CWE-862 Missing Authorization\", \"cweId\": \"CWE-862\", \"type\": \"CWE\"}]}], \"metrics\": [{\"cvssV3_1\": {\"version\": \"3.1\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H\", \"baseScore\": 7.2, \"baseSeverity\": \"HIGH\"}}], \"credits\": [{\"lang\": \"en\", \"type\": \"finder\", \"value\": \"Nguyen Ngoc Duc\"}], \"timeline\": [{\"time\": \"2026-04-03T06:10:01.000Z\", \"lang\": \"en\", \"value\": \"Vendor Notified\"}, {\"time\": \"2026-04-22T19:44:42.000Z\", \"lang\": \"en\", \"value\": \"Disclosed\"}]}, \"adp\": [{\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2026-5464\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"none\"}, {\"Automatable\": \"no\"}, {\"Technical Impact\": \"total\"}], \"version\": \"2.0.3\", \"timestamp\": \"2026-04-23T14:50:46.837686Z\"}}}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2026-04-23T14:50:58.656Z\"}}]}",
      "cveMetadata": "{\"cveId\": \"CVE-2026-5464\", \"assignerOrgId\": \"b15e7b5b-3da4-40ae-a43c-f7aa60e62599\", \"state\": \"PUBLISHED\", \"assignerShortName\": \"Wordfence\", \"dateReserved\": \"2026-04-03T05:53:05.632Z\", \"datePublished\": \"2026-04-23T08:28:25.836Z\", \"dateUpdated\": \"2026-04-23T14:51:03.156Z\"}",
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }
  }
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.