CVE-2026-5464 (GCVE-0-2026-5464)
Vulnerability from cvelistv5
Published
2026-04-23 08:28
Modified
2026-04-23 14:51
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-862 - Missing Authorization
Summary
The ExactMetrics – Google Analytics Dashboard for WordPress (Website Stats Plugin) plugin for WordPress is vulnerable to unauthorized arbitrary plugin installation and activation in all versions up to, and including, 9.1.2. This is due to the reports page exposing the 'onboarding_key' transient to any user with the 'exactmetrics_view_dashboard' capability. This key is the sole authorization gate for the '/wp-json/exactmetrics/v1/onboarding/connect-url' REST endpoint, which returns a one-time hash (OTH) token. This OTH token is then the only credential checked by the 'exactmetrics_connect_process' AJAX endpoint — which has no capability check, no nonce verification, and accepts an arbitrary plugin ZIP URL via the file parameter for installation and activation. This makes it possible for authenticated attackers, with Editor-level access and above granted the report viewing permission, to install and activate arbitrary plugins from attacker-controlled URLs, leading to Remote Code Execution.
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| smub | ExactMetrics – Google Analytics Dashboard for WordPress (Website Stats Plugin) |
Version: 0 ≤ 9.1.2 |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-5464",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-04-23T14:50:46.837686Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-04-23T14:51:03.156Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "ExactMetrics \u2013 Google Analytics Dashboard for WordPress (Website Stats Plugin)",
"vendor": "smub",
"versions": [
{
"lessThanOrEqual": "9.1.2",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Nguyen Ngoc Duc"
}
],
"descriptions": [
{
"lang": "en",
"value": "The ExactMetrics \u2013 Google Analytics Dashboard for WordPress (Website Stats Plugin) plugin for WordPress is vulnerable to unauthorized arbitrary plugin installation and activation in all versions up to, and including, 9.1.2. This is due to the reports page exposing the \u0027onboarding_key\u0027 transient to any user with the \u0027exactmetrics_view_dashboard\u0027 capability. This key is the sole authorization gate for the \u0027/wp-json/exactmetrics/v1/onboarding/connect-url\u0027 REST endpoint, which returns a one-time hash (OTH) token. This OTH token is then the only credential checked by the \u0027exactmetrics_connect_process\u0027 AJAX endpoint \u2014 which has no capability check, no nonce verification, and accepts an arbitrary plugin ZIP URL via the file parameter for installation and activation. This makes it possible for authenticated attackers, with Editor-level access and above granted the report viewing permission, to install and activate arbitrary plugins from attacker-controlled URLs, leading to Remote Code Execution."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 7.2,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-862",
"description": "CWE-862 Missing Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-23T08:28:25.836Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/09127277-9e71-484d-b674-52af693c995b?source=cve"
},
{
"url": "https://plugins.trac.wordpress.org/browser/google-analytics-dashboard-for-wp/tags/9.1.1/includes/connect.php#L27"
},
{
"url": "https://plugins.trac.wordpress.org/browser/google-analytics-dashboard-for-wp/tags/9.1.1/includes/connect.php#L219"
},
{
"url": "https://plugins.trac.wordpress.org/browser/google-analytics-dashboard-for-wp/tags/9.1.1/includes/admin/class-exactmetrics-onboarding.php#L109"
},
{
"url": "https://plugins.trac.wordpress.org/browser/google-analytics-dashboard-for-wp/tags/9.1.1/includes/admin/admin-assets.php#L932"
}
],
"timeline": [
{
"lang": "en",
"time": "2026-04-03T06:10:01.000Z",
"value": "Vendor Notified"
},
{
"lang": "en",
"time": "2026-04-22T19:44:42.000Z",
"value": "Disclosed"
}
],
"title": "ExactMetrics \u003c= 9.1.2 - Authenticated (Editor+) Arbitrary Plugin Installation/Activation via exactmetrics_connect_process"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2026-5464",
"datePublished": "2026-04-23T08:28:25.836Z",
"dateReserved": "2026-04-03T05:53:05.632Z",
"dateUpdated": "2026-04-23T14:51:03.156Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
Loading…
Loading…
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
- Confirmed: The vulnerability is confirmed from an analyst perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
- Patched: This vulnerability was successfully patched by the user reporting the sighting.
- Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
- Not confirmed: The user expresses doubt about the veracity of the vulnerability.
- Not patched: This vulnerability was not successfully patched by the user reporting the sighting.
Loading…
Loading…