What the vulnerability does
01Description
The ExactMetrics – Google Analytics Dashboard for WordPress plugin for WordPress is vulnerable to Missing Authorization in versions up to and including 9.1.2. This is due to missing capability checks in the get_ads_access_token() and reset_experience() AJAX handlers. While the mi-admin-nonce is localized on all admin pages (including profile.php which subscribers can access), and while other similar AJAX endpoints in the same class properly check for the exactmetrics_save_settings capability, these two endpoints only verify the nonce. This makes it possible for authenticated attackers, with subscriber-level access and above, to retrieve valid Google Ads access tokens and reset Google Ads integration settings.
Explanation of Vulnerability in Simple Terms
02Summary
ExactMetrics versions up to 9.1.2 lack proper authorization checks, allowing unauthenticated attackers to read sensitive analytics data. The plugin does not verify user permissions before exposing Google Analytics information. Site administrators should update to a version newer than 9.1.2 to restrict data access to authorized users only.
What an attacker can do
03Attacker Capabilities
Read Google Analytics data without logging in to the site.
Potential impact on your site
04Site Impact
Sensitive analytics and traffic data exposed to anyone who knows the plugin is installed.
Conditions required to exploit
05Prerequisites
Network access to the site; no authentication or user interaction required.
Key dates
06Disclosure timeline
April 24, 2026
CVE published
April 24, 2026
Record updated