WordPress Plugin Vulnerabilities
ExactMetrics < 9.1.3 - Authenticated (Subscriber+) Missing Authorization to Google Ads Access Token Retrieval via AJAX Action 'exactmetrics_ads_get_token'
Description
The ExactMetrics – Google Analytics Dashboard for WordPress plugin for WordPress is vulnerable to Missing Authorization in versions up to and including 9.1.2. This is due to missing capability checks in the get_ads_access_token() and reset_experience() AJAX handlers. While the mi-admin-nonce is localized on all admin pages (including profile.php which subscribers can access), and while other similar AJAX endpoints in the same class properly check for the exactmetrics_save_settings capability, these two endpoints only verify the nonce. This makes it possible for authenticated attackers, with subscriber-level access and above, to retrieve valid Google Ads access tokens and reset Google Ads integration settings.
Affects Plugins
Fixed in 9.1.3 References
Classification
Type
NO AUTHORISATION
OWASP top 10
CWE
CVSS
Miscellaneous
Original Researcher
Dmitrii Ignatyev
Verified
No
WPVDB ID
Timeline
Publicly Published
2026-04-23 (about 20 days ago)
Added
2026-04-23 (about 20 days ago)
Last Updated
2026-04-24 (about 19 days ago)
WPScan 