CVE-2026-5488 MEDIUM

CVE-2026-5488: ExactMetrics <= 9.1.2 - Authenticated (Subscriber+) Missing Authorization to Google Ads Access Token Retrieval via AJAX Action 'exactmetrics_ads_get_token'

Vendor Smub
Product ExactMetrics – Google Analytics Dashboard for WordPress (Website Stats Plugin)
Weakness CWE-862 · Missing authorization
Published April 24, 2026
Last update April 24, 2026

CVSS base score

5.3/10
Attack vector Network
Attack complexity Low
Privileges required None
User interaction None
Confidentiality Low
Integrity None

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

What the vulnerability does

01Description

The ExactMetrics – Google Analytics Dashboard for WordPress plugin for WordPress is vulnerable to Missing Authorization in versions up to and including 9.1.2. This is due to missing capability checks in the get_ads_access_token() and reset_experience() AJAX handlers. While the mi-admin-nonce is localized on all admin pages (including profile.php which subscribers can access), and while other similar AJAX endpoints in the same class properly check for the exactmetrics_save_settings capability, these two endpoints only verify the nonce. This makes it possible for authenticated attackers, with subscriber-level access and above, to retrieve valid Google Ads access tokens and reset Google Ads integration settings.

Explanation of Vulnerability in Simple Terms

02Summary

ExactMetrics versions up to 9.1.2 lack proper authorization checks, allowing unauthenticated attackers to read sensitive analytics data. The plugin does not verify user permissions before exposing Google Analytics information. Site administrators should update to a version newer than 9.1.2 to restrict data access to authorized users only.

What an attacker can do

03Attacker Capabilities

Read Google Analytics data without logging in to the site.

Potential impact on your site

04Site Impact

Sensitive analytics and traffic data exposed to anyone who knows the plugin is installed.

Conditions required to exploit

05Prerequisites

Network access to the site; no authentication or user interaction required.

Key dates

06Disclosure timeline

April 24, 2026 CVE published
April 24, 2026 Record updated

Related vulnerabilities

08Related CVE