CVE-2026-5464

Name of the Vulnerable Software and Affected Versions ExactMetrics – Google Analytics Dashboard for WordPress (Website Stats Plugin) versions prior to 9.1.3

Description The plugin allows authenticated attackers with Editor-level access or higher and report viewing permissions to install and activate arbitrary plugins from external URLs, potentially leading to Remote Code Execution. The issue occurs because the reports page exposes the onboarding key transient to users with the exactmetrics view dashboard capability. This key grants access to the '/wp-json/exactmetrics/v1/onboarding/connect-url' REST endpoint, which provides a one-time hash (OTH) token. This token is the only credential verified by the exactmetrics connect process() AJAX endpoint, which lacks capability checks and nonce verification, and accepts an arbitrary plugin ZIP URL through the file parameter.

Recommendations Update the plugin to a version newer than 9.1.2.