CVE-2026-5488

Name of the Vulnerable Software and Affected Versions ExactMetrics – Google Analytics Dashboard for WordPress versions prior to 9.1.3

Description Missing authorization in the plugin allows authenticated attackers with subscriber-level access or higher to retrieve valid Google Ads access tokens and reset Google Ads integration settings. This occurs because the AJAX handlers get ads access token() and reset experience() only verify the nonce and fail to perform necessary capability checks, unlike other endpoints in the same class that require the exactmetrics save settings capability.

Recommendations Update the plugin to a version later than 9.1.2. As a temporary workaround, restrict access to the get ads access token() and reset experience() AJAX handlers.