CVE-2026-1992

Name of the Vulnerable Software and Affected Versions ExactMetrics – Google Analytics Dashboard for WordPress versions 8.6.0 through 9.0.2

Description The ExactMetrics – Google Analytics Dashboard for WordPress plugin contains an Insecure Direct Object Reference issue. The store settings() method within the ExactMetrics Onboarding class improperly uses a user-supplied triggered by parameter instead of the current user's ID for permission checks. This allows authenticated attackers possessing the exactmetrics save settings capability to circumvent the install plugins capability check. By providing an administrator's user ID through the triggered by parameter, attackers can install arbitrary plugins, potentially leading to Remote Code Execution. This issue is only exploitable on sites where administrators have granted report viewing permissions to other user types, and only by those user types.

Recommendations Versions 8.6.0 through 9.0.2 are vulnerable. At the moment, there is no information about a newer version that contains a fix for this vulnerability.