ExactMetrics 7.1.0 – 9.0.2 – Improper Privilege Management to Role Privilege Escalation via Settings Update | CVE 2026-1993 | Plugin Vulnerabilities

Description

The plugin is vulnerable to Improper Privilege Management due to the `update_settings()` function accepting arbitrary plugin setting names without a whitelist of allowed settings. This makes it possible for authenticated attackers with the `exactmetrics_save_settings` capability to modify any plugin setting, including the `save_settings` option that controls which user roles have access to plugin functionality. The admin intended to delegate configuration access to a trusted user, not enable that user to delegate access to everyone. By setting `save_settings` to include `subscriber`, an attacker can grant plugin administrative access to all subscribers on the site.

Affects Plugins

google-analytics-dashboard-for-wp

Fixed in 9.0.3

References

CVE

URL

https://www.wordfence.com/threat-intel/vulnerabilities/id/1c1ce474-ecce-4d21-b174-cb54a2441b2b

Classification

Type

PRIVESC

OWASP top 10

A2: Broken Authentication and Session Management

CWE

CVSS

Miscellaneous

Original Researcher

Ali Sünbül

Verified

No

WPVDB ID

c9eb6e53-2d71-4538-92c6-41e9ed6dcc49

Timeline

Publicly Published

2026-03-10 (about 2 months ago)

Added

2026-03-10 (about 2 months ago)

Last Updated

2026-03-10 (about 2 months ago)

Other

Published

Title

Published

2026-01-05

Title

Download Manager < 3.3.41 - Unauthenticated Limited Privilege Escalation

Published

2020-01-01

Title

Import Users From CSV with Meta 1.15 - Unauthorised Authenticated Users Export

Published

2023-12-26

Title

Ultimate Addons for Beaver Builder < 1.35.15 - Contributor+ Privilege Escalation

Published

2016-02-10

Title

Woocommerce Exporter < 1.8.4 - Privilege Esclation

Published

2023-11-09

Title

WordPress Social Login and Register (Discord, Google, Twitter, LinkedIn) < 7.6.7 - Authenticated (Subscriber+) Privilege Escalation