Severity by source
AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
5DescriptionCVE.org
The ExactMetrics - Google Analytics Dashboard for WordPress (Website Stats Plugin) plugin for WordPress is vulnerable to unauthorized arbitrary plugin installation and activation in all versions up to, and including, 9.1.2. This is due to the reports page exposing the 'onboarding_key' transient to any user with the 'exactmetrics_view_dashboard' capability. This key is the sole authorization gate for the '/wp-json/exactmetrics/v1/onboarding/connect-url' REST endpoint, which returns a one-time hash (OTH) token. This OTH token is then the only credential checked by the 'exactmetrics_connect_process' AJAX endpoint - which has no capability check, no nonce verification, and accepts an arbitrary plugin ZIP URL via the file parameter for installation and activation. This makes it possible for authenticated attackers, with Editor-level access and above granted the report viewing permission, to install and activate arbitrary plugins from attacker-controlled URLs, leading to Remote Code Execution.
AnalysisAI
Authenticated Editor-level attackers can achieve Remote Code Execution in ExactMetrics WordPress plugin (all versions ≤9.1.2) by chaining exposed onboarding credentials to install and activate arbitrary plugin ZIP files from attacker-controlled URLs. The attack exploits a missing authorization check in the 'exactmetrics_connect_process' AJAX endpoint that accepts the one-time hash token obtained via the exposed 'onboarding_key' transient-effectively bypassing plugin installation controls. EPSS and KEV status unknown; CVSS 7.2 reflects high-privilege requirement (PR:H) but direct path to RCE makes this a critical risk for multi-author WordPress sites where Editors have dashboard viewing permissions. Wordfence advisory and source code references confirm the vulnerability chain across three distinct code locations in versions through 9.1.1.
Technical ContextAI
This vulnerability exploits WordPress's role-based access control (RBAC) and plugin management system. ExactMetrics grants the 'exactmetrics_view_dashboard' capability to Editor-level users and above. The plugin's onboarding flow uses a two-token authentication pattern: (1) an 'onboarding_key' transient exposed in the reports page JavaScript, and (2) a one-time hash (OTH) token returned by the '/wp-json/exactmetrics/v1/onboarding/connect-url' REST endpoint. The critical flaw (CWE-862: Missing Authorization) occurs in 'exactmetrics_connect_process' AJAX handler at includes/connect.php line 219, which validates only the OTH token without capability checks or WordPress nonces, then processes arbitrary plugin installation via the 'file' parameter pointing to remote ZIP URLs. The vulnerability chain spans three code locations: admin-assets.php (exposing onboarding_key at line 932), class-exactmetrics-onboarding.php (REST endpoint at line 109), and connect.php (AJAX handler at line 27 and installation logic at line 219). Affected product per CPE: ExactMetrics (SMUB vendor) WordPress plugin versions through 9.1.2.
RemediationAI
Immediately upgrade ExactMetrics to version 9.1.3 or later if available (check WordPress plugin repository or vendor advisory for confirmed patched version-exact fix version not independently verified from provided references). Until patching: (1) Revoke 'exactmetrics_view_dashboard' capability from all Editor-level users who do not require analytics access, limiting exposure to Administrator-only (trade-off: reduces reporting functionality for content editors); (2) implement Web Application Firewall rules blocking POST requests to '/wp-admin/admin-ajax.php' with action parameter 'exactmetrics_connect_process' from non-Administrator IPs (trade-off: breaks legitimate onboarding workflow); (3) monitor WordPress plugin installation logs for unauthorized additions via file integrity monitoring focusing on wp-content/plugins directory writes from www-data user; (4) disable file modifications via wp-config.php constant 'define(DISALLOW_FILE_MODS, true);' to prevent all plugin/theme installations (trade-off: blocks legitimate updates requiring manual FTP-based patching). Reference Wordfence advisory at https://www.wordfence.com/threat-intel/vulnerabilities/id/09127277-9e71-484d-b674-52af693c995b for latest remediation guidance and source code examination at WordPress plugin Trac browser for verification of patch implementation.
The isMail transport in PHPMailer before 5.2.20 might allow remote attackers to pass extra parameters to the mail comman
The Backup Migration plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 1
The Hash Form - Drag & Drop Form Builder plugin for WordPress is vulnerable to arbitrary file uploads due to missing fil
The GiveWP - Donation Plugin and Fundraising Platform plugin for WordPress is vulnerable to PHP Object Injection in all
The Simple File List plugin for WordPress through version 4.2.2 contains an unauthenticated remote code execution vulner
The AI Engine WordPress plugin through version 3.1.3 exposes Bearer Token values through the /mcp/v1/ REST API endpoint
The Ninja Forms plugin before 2.9.42.1 for WordPress allows remote attackers to conduct PHP object injection attacks via
The Business Directory Plugin - Easy Listing Directories for WordPress plugin for WordPress is vulnerable to time-based
SQL injection in the NotificationX WordPress plugin (versions up to and including 2.8.2) allows unauthenticated remote a
The POST SMTP Mailer - Email log, Delivery Failure Notifications and Best Mail SMTP for WordPress plugin for WordPress i
The MasterStudy LMS WordPress Plugin - for Online Courses and Education plugin for WordPress is vulnerable to union base
The Country State City Dropdown CF7 plugin for WordPress is vulnerable to SQL Injection via the ‘cnt’ and 'sid' paramete
Same weakness CWE-862 – Missing Authorization
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-25207
GHSA-wx6x-8rvm-6rmr