CVE-2026-1992 - Vulnerability Analysis

Overview

ExactMetrics – Google Analytics Dashboard for WordPress plugin 8.6.0 through 9.0.2 contains an insecure direct object reference caused by improper permission checks in store_settings() method, letting authenticated attackers with exactmetrics_save_settings capability bypass install_plugins check and install arbitrary plugins, exploit requires attacker to have exactmetrics_save_settings capability and permission to view reports.

Severity & Score

Impact

Authenticated attackers can install arbitrary plugins, leading to remote code execution and full site compromise.

Mitigation

Update to a version later than 9.0.2 or the latest available version.

References

• https://plugins.trac.wordpress.org/browser/google-analytics-dashboard-for-wp/trunk/includes/admin/class-exactmetrics-onboarding.php#L273
• https://plugins.trac.wordpress.org/changeset/3473805/google-analytics-dashboard-for-wp/trunk/includes/admin/class-exactmetrics-onboarding.php?old=3309894&old_path=google-analytics-dashboard-for-wp%2Ftrunk%2Fincludes%2Fadmin%2Fclass-exactmetrics-onboarding.php
• https://www.wordfence.com/threat-intel/vulnerabilities/id/79b6b896-df66-4c3d-a4d4-d3dbeb630134?source=cve

Social Media Activity(1 post)

TheHackerWire

@thehackerwire

Mar 11, 2026

🟠 CVE-2026-1992 - High (8.8) The ExactMetrics – Google Analytics Dashboard for WordPress plugin is vulnerable to Insecure Direct Object Reference in versions 8.6.0 through 9.0.2. This is due to the `store_settings()` method in the `ExactMetrics_Onboarding` class accepting a... 🔗 https://www.thehackerwire.com/vulnerability/CVE-2026-1992/ #CVE #vulnerability #infosec #cybersecurity #security #Tenda #patchstack

View original post

Related Resources

• Vulnerability Intelligence Dashboard
• Credential Scanner