What the vulnerability does
01Description
The MonsterInsights – Google Analytics Dashboard for WordPress (Website Stats Made Easy) plugin for WordPress is vulnerable to unauthorized access and modification of data due to a missing capability checks on the get_ads_access_token() and reset_experience() functions in all versions up to, and including, 10.1.2. This makes it possible for authenticated attackers, with Subscriber-level access and above, to retrieve live Google OAuth access tokens and reset Plugins's Google Ads integration.
Explanation of Vulnerability in Simple Terms
02Summary
MonsterInsights versions up to 10.1.2 lack proper authorization checks, allowing authenticated users with low privileges to read sensitive analytics data they should not access. The vulnerability requires a WordPress login but no special role or capability. An attacker can view high-confidence information including analytics reports and potentially modify limited settings. Update to a version newer than 10.1.2.
What an attacker can do
03Attacker Capabilities
Read other users' analytics data and modify some plugin settings without proper authorization.
Potential impact on your site
04Site Impact
Unauthorized users can access sensitive Google Analytics data and reports meant only for admins or specific roles.
Conditions required to exploit
05Prerequisites
Attacker must have a low-privilege WordPress user account (e.g., subscriber or contributor role).
Key dates
06Disclosure timeline
May 12, 2026
CVE published
May 13, 2026
Record updated
