Ali Sünbül

**Name of the Vulnerable Software and Affected Versions** ExactMetrics – Google Analytics Dashboard for WordPress versions 8.6.0 through 9.0.2 **Description** The ExactMetrics – Google Analytics Dashboard for WordPress plugin contains an Insecure Direct Object Reference issue. The `store settings()` method within the `ExactMetrics Onboarding` class improperly uses a user-supplied `triggered by` parameter instead of the current user's ID for permission checks. This allows authenticated attackers possessing the `exactmetrics save settings` capability to circumvent the `install plugins` capability check. By providing an administrator's user ID through the `triggered by` parameter, attackers can install arbitrary plugins, potentially leading to Remote Code Execution. This issue is only exploitable on sites where administrators have granted report viewing permissions to other user types, and only by those user types. **Recommendations** Versions 8.6.0 through 9.0.2 are vulnerable. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** ExactMetrics – Google Analytics Dashboard for WordPress versions 7.1.0 through 9.0.2 **Description** The ExactMetrics – Google Analytics Dashboard for WordPress plugin exhibits an Improper Privilege Management issue. The `update settings()` function does not validate input, allowing authenticated attackers possessing the `exactmetrics save settings` capability to modify any plugin setting. Specifically, attackers can alter the `save settings` option, which governs user role access to plugin functionality. By modifying this setting to include the `subscriber` role, an attacker can grant administrative access to all subscribers on the site. The `update settings()` function is the component responsible for this behavior. **Recommendations** Versions 7.1.0 through 9.0.2 are affected and should be updated when a fix is available. As a temporary workaround, restrict the `exactmetrics save settings` capability to only trusted users.

**Name of the Vulnerable Software and Affected Versions** Gutenberg Blocks with AI by Kadence WP plugin for WordPress versions up to and including 3.6.1 **Description** The Gutenberg Blocks with AI by Kadence WP plugin for WordPress is susceptible to Server-Side Request Forgery due to inadequate validation of the `endpoint` parameter within the `get items()` function of the GetResponse REST API handler. The permission check for the `endpoint` parameter only requires the `edit posts` capability, allowing attackers with Contributor-level access or higher to make server-side requests to arbitrary endpoints on the configured GetResponse API server. This can lead to the retrieval of sensitive data, including contacts, campaigns, and mailing lists, using the site’s stored API credentials. The stored API key is also exposed in the request headers. **Recommendations** Update the Gutenberg Blocks with AI by Kadence WP plugin for WordPress to a version later than 3.6.1.

**Name of the Vulnerable Software and Affected Versions** Gutenberg Blocks with AI by Kadence WP plugin for WordPress versions up to and including 3.6.1 **Description** The Gutenberg Blocks with AI by Kadence WP plugin for WordPress is susceptible to a missing authorization issue. The `process image data ajax callback()` function, which processes the `kadence import process image data` AJAX action, lacks a complete capability check. While it verifies the `edit posts` capability, it fails to validate the `upload files` capability. This allows authenticated attackers with Contributor-level access or higher to upload arbitrary images from remote URLs to the WordPress Media Library, circumventing standard WordPress capability restrictions that prevent Contributors from uploading files. The vulnerable function is `process image data ajax callback()`. The vulnerable AJAX action is `/kadence import process image data`. **Recommendations** Update the Gutenberg Blocks with AI by Kadence WP plugin to a version beyond 3.6.1.