CVE-2026-1993 - Vulnerability Analysis

Overview

ExactMetrics – Google Analytics Dashboard for WordPress plugin 7.1.0 through 9.0.2 contains an improper privilege management vulnerability caused by lack of whitelist in update_settings() function, letting authenticated attackers with exactmetrics_save_settings capability modify any plugin setting, including access control, exploit requires exactmetrics_save_settings capability.

Severity & Score

Impact

Authenticated attackers can escalate privileges by modifying plugin settings to grant administrative access to all subscribers.

Mitigation

Update to a version later than 9.0.2 or the latest available version.

References

• https://plugins.trac.wordpress.org/browser/google-analytics-dashboard-for-wp/trunk/includes/admin/routes.php#L201
• https://plugins.trac.wordpress.org/changeset/3473805/google-analytics-dashboard-for-wp/trunk/includes/admin/routes.php?old=3453934&old_path=google-analytics-dashboard-for-wp%2Ftrunk%2Fincludes%2Fadmin%2Froutes.php
• https://plugins.trac.wordpress.org/changeset/3473805/google-analytics-dashboard-for-wp/trunk/includes/capabilities.php?old=2897321&old_path=google-analytics-dashboard-for-wp%2Ftrunk%2Fincludes%2Fcapabilities.php
• https://www.wordfence.com/threat-intel/vulnerabilities/id/1c1ce474-ecce-4d21-b174-cb54a2441b2b?source=cve
• https://plugins.trac.wordpress.org/browser/google-analytics-dashboard-for-wp/tags/7.15.3/includes/admin/routes.php#L201

Social Media Activity(1 post)

TheHackerWire

@thehackerwire

Mar 11, 2026

🟠 CVE-2026-1993 - High (8.8) The ExactMetrics – Google Analytics Dashboard for WordPress plugin is vulnerable to Improper Privilege Management in versions 7.1.0 through 9.0.2. This is due to the `update_settings()` function accepting arbitrary plugin setting names without a... 🔗 https://www.thehackerwire.com/vulnerability/CVE-2026-1993/ #CVE #vulnerability #infosec #cybersecurity #security #Tenda #patchstack

View original post

Related Resources

• Vulnerability Intelligence Dashboard
• Credential Scanner