CVE-2026-1993

Name of the Vulnerable Software and Affected Versions ExactMetrics – Google Analytics Dashboard for WordPress versions 7.1.0 through 9.0.2

Description The ExactMetrics – Google Analytics Dashboard for WordPress plugin exhibits an Improper Privilege Management issue. The update settings() function does not validate input, allowing authenticated attackers possessing the exactmetrics save settings capability to modify any plugin setting. Specifically, attackers can alter the save settings option, which governs user role access to plugin functionality. By modifying this setting to include the subscriber role, an attacker can grant administrative access to all subscribers on the site. The update settings() function is the component responsible for this behavior.

Recommendations Versions 7.1.0 through 9.0.2 are affected and should be updated when a fix is available. As a temporary workaround, restrict the exactmetrics save settings capability to only trusted users.