CVE-2026-1993
ExactMetrics 7.1.0 - 9.0.2 - Authenticated (Custom) Improper Privilege Management to Role Privilege Escalation via Settings Update
The ExactMetrics – Google Analytics Dashboard for WordPress plugin is vulnerable to Improper Privilege Management in versions 7.1.0 through 9.0.2. This is due to the `update_settings()` function accepting arbitrary plugin setting names without a whitelist of allowed settings. This makes it possible for authenticated attackers with the `exactmetrics_save_settings` capability to modify any plugin setting, including the `save_settings` option that controls which user roles have access to plugin functionality. The admin intended to delegate configuration access to a trusted user, not enable that user to delegate access to everyone. By setting `save_settings` to include `subscriber`, an attacker can grant plugin administrative access to all subscribers on the site.
| CWE | CWE-269 |
| Vendor | smub |
| Product | exactmetrics – google analytics dashboard for wordpress (website stats plugin) |
| Published | Mar 11, 2026 |
| Last Updated | Mar 11, 2026 |
Get instant alerts for smub exactmetrics – google analytics dashboard for wordpress (website stats plugin)
Be the first to know when new high vulnerabilities affecting smub exactmetrics – google analytics dashboard for wordpress (website stats plugin) are published — delivered to Slack, Telegram or Discord.
CVSS v3 Breakdown
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H