What the vulnerability does
01Description
The ExactMetrics – Google Analytics Dashboard for WordPress plugin is vulnerable to Improper Privilege Management in versions 7.1.0 through 9.0.2. This is due to the `update_settings()` function accepting arbitrary plugin setting names without a whitelist of allowed settings. This makes it possible for authenticated attackers with the `exactmetrics_save_settings` capability to modify any plugin setting, including the `save_settings` option that controls which user roles have access to plugin functionality. The admin intended to delegate configuration access to a trusted user, not enable that user to delegate access to everyone. By setting `save_settings` to include `subscriber`, an attacker can grant plugin administrative access to all subscribers on the site.
Explanation of Vulnerability in Simple Terms
02Summary
ExactMetrics versions 7.1.0 through 9.0.2 contain a privilege management flaw that allows authenticated users with low-level permissions to gain unauthorized access to sensitive site data and functionality. An attacker with a basic user account can read and modify analytics data, site configuration, and other protected information without proper authorization checks.
What an attacker can do
03Attacker Capabilities
Read and modify analytics data, site settings, and other protected information using a low-privilege user account.
Potential impact on your site
04Site Impact
Unauthorized users can access and alter your Google Analytics configuration, view sensitive traffic data, and potentially modify site settings through the plugin.
Conditions required to exploit
05Prerequisites
Attacker must have a valid WordPress user account with low-level permissions (e.g., Subscriber or Contributor role).
Key dates
06Disclosure timeline
March 11, 2026
CVE published
March 11, 2026
Record updated