CVE-2026-1993 HIGH

CVE-2026-1993: ExactMetrics 7.1.0 - 9.0.2 - Authenticated (Custom) Improper Privilege Management to Role Privilege Escalation via Settings Update

Vendor Smub
Product ExactMetrics – Google Analytics Dashboard for WordPress (Website Stats Plugin)
Weakness CWE-269
Published March 11, 2026
Last update March 11, 2026

CVSS base score

8.8/10
Attack vector Network
Attack complexity Low
Privileges required Low
User interaction None
Confidentiality High
Integrity High

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

What the vulnerability does

01Description

The ExactMetrics – Google Analytics Dashboard for WordPress plugin is vulnerable to Improper Privilege Management in versions 7.1.0 through 9.0.2. This is due to the `update_settings()` function accepting arbitrary plugin setting names without a whitelist of allowed settings. This makes it possible for authenticated attackers with the `exactmetrics_save_settings` capability to modify any plugin setting, including the `save_settings` option that controls which user roles have access to plugin functionality. The admin intended to delegate configuration access to a trusted user, not enable that user to delegate access to everyone. By setting `save_settings` to include `subscriber`, an attacker can grant plugin administrative access to all subscribers on the site.

Explanation of Vulnerability in Simple Terms

02Summary

ExactMetrics versions 7.1.0 through 9.0.2 contain a privilege management flaw that allows authenticated users with low-level permissions to gain unauthorized access to sensitive site data and functionality. An attacker with a basic user account can read and modify analytics data, site configuration, and other protected information without proper authorization checks.

What an attacker can do

03Attacker Capabilities

Read and modify analytics data, site settings, and other protected information using a low-privilege user account.

Potential impact on your site

04Site Impact

Unauthorized users can access and alter your Google Analytics configuration, view sensitive traffic data, and potentially modify site settings through the plugin.

Conditions required to exploit

05Prerequisites

Attacker must have a valid WordPress user account with low-level permissions (e.g., Subscriber or Contributor role).

Key dates

06Disclosure timeline

March 11, 2026 CVE published
March 11, 2026 Record updated