ExactMetrics CVE-2026-5464

| EUVD-2026-25207 HIGH
Missing Authorization (CWE-862)
2026-04-23 Wordfence GHSA-wx6x-8rvm-6rmr
WordPress Authentication Bypass RCE Google
7.2
CVSS 3.1
Share

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
High
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

2
Re-analysis Queued
Apr 23, 2026 - 14:37 vuln.today
cvss_changed
Analysis Generated
Apr 23, 2026 - 10:31 vuln.today

DescriptionNVD

The ExactMetrics - Google Analytics Dashboard for WordPress (Website Stats Plugin) plugin for WordPress is vulnerable to unauthorized arbitrary plugin installation and activation in all versions up to, and including, 9.1.2. This is due to the reports page exposing the 'onboarding_key' transient to any user with the 'exactmetrics_view_dashboard' capability. This key is the sole authorization gate for the '/wp-json/exactmetrics/v1/onboarding/connect-url' REST endpoint, which returns a one-time hash (OTH) token. This OTH token is then the only credential checked by the 'exactmetrics_connect_process' AJAX endpoint - which has no capability check, no nonce verification, and accepts an arbitrary plugin ZIP URL via the file parameter for installation and activation. This makes it possible for authenticated attackers, with Editor-level access and above granted the report viewing permission, to install and activate arbitrary plugins from attacker-controlled URLs, leading to Remote Code Execution.

AnalysisAI

Authenticated Editor-level attackers can achieve Remote Code Execution in ExactMetrics WordPress plugin (all versions ≤9.1.2) by chaining exposed onboarding credentials to install and activate arbitrary plugin ZIP files from attacker-controlled URLs. The attack exploits a missing authorization check in the 'exactmetrics_connect_process' AJAX endpoint that accepts the one-time hash token obtained via the exposed 'onboarding_key' transient-effectively bypassing plugin installation controls. …

Sign in for full analysis, threat intelligence, and remediation guidance.

RemediationAI

Within 24 hours: identify all WordPress installations using ExactMetrics plugin ≤9.1.2 via administrative inventory and disable the plugin immediately. Within 7 days: evaluate whether ExactMetrics is business-critical; if so, contact vendor support for an estimated patch timeline and implement temporary role restrictions to prevent Editor-level access to WordPress dashboard. …

Sign in for detailed remediation steps.

Full analysis requires sign-in

Get intelligence summaries, risk assessment, exploit details, threat intel, and remediation guidance.

Sign in - Free

Share

CVE-2026-5464 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy