WordPress Plugin Vulnerabilities

ExactMetrics < 9.1.3 - Editor+ Arbitrary Plugin Installation/Activation

Description

The plugin is vulnerable to unauthorized arbitrary plugin installation and activation due to the reports page exposing the 'onboarding_key' transient to any user with the 'exactmetrics_view_dashboard' capability. This key is the sole authorization gate for the '/wp-json/exactmetrics/v1/onboarding/connect-url' REST endpoint, which returns a one-time hash (OTH) token. This OTH token is then the only credential checked by the 'exactmetrics_connect_process' AJAX endpoint — which has no capability check, no nonce verification, and accepts an arbitrary plugin ZIP URL via the file parameter for installation and activation. This makes it possible for authenticated attackers, with Editor-level access and above granted the report viewing permission, to install and activate arbitrary plugins from attacker-controlled URLs, leading to Remote Code Execution.

Affects Plugins

Plugin icon
google-analytics-dashboard-for-wp
Fixed in 9.1.3

References

CVE
CVE-2026-5464
URL
https://www.wordfence.com/threat-intel/vulnerabilities/id/09127277-9e71-484d-b674-52af693c995b

Classification

Type
NO AUTHORISATION
OWASP top 10
A5: Broken Access Control
CWE
CWE-862
CVSS
7.2 (high)

Miscellaneous

Original Researcher
Nguyen Ngoc Duc (duc193)
Verified
No
WPVDB ID
508af08e-b1d9-40c3-addb-fe1a952d711b

Timeline

Publicly Published
2026-04-22 (about 22 days ago)
Added
2026-04-22 (about 21 days ago)
Last Updated
2026-04-22 (about 21 days ago)

Other

Published
Title
Published
2024-10-09
Title
WP Helper Premium < 4.6.2 - Missing Authorization in whp_smtp_send_mail_test
Published
2024-12-19
Title
VW Automobile Lite <= 2.1 - Missing Authorization
Published
2025-06-07
Title
Backup and Move <= 0.1 - Missing Authorization
Published
2023-12-27
Title
WP MLM Unilevel <= 4.0 - Unauthenticated Privilege Escalation
Published
2021-12-08
Title
WP Google Map < 1.8.1 - Subscriber+ Arbitrary Post Deletion and Plugin's Settings Update