Calgary, Alberta, Canada
sales@hackhalt.com
Free Download Free Download Free Download
Explore Pricing Explore Pricing Explore Pricing

Blog

"Prevention is cheaper than a breach"

Live Vulnerability Intelligence

Threat Database

Search CVEs, inspect descriptions, and open detail pages with AI-assisted technical context.

Total3
Critical0
High3
Medium0
Reset
Showing 1-3 of 3 records
Threat Entry Updated 2026-04-23

CVE-2026-5464 - ExactMetrics – Google Analytics Dashboard for WordPress (Website Stats Plugin)

The ExactMetrics – Google Analytics Dashboard for WordPress (Website Stats Plugin) plugin for WordPress is vulnerable to unauthorized arbitrary plugin installation and activation in all versions up to, and including, 9.1.2. This is due to the reports page exposing the 'onboarding_key' transient to any user with the 'exactmetrics_view_dashboard' capability. This key is the sole authorization gate for the '/wp-json/exactmetrics/v1/onboarding/connect-url' REST endpoint, which returns a one-time hash (OTH) token. This OTH token is then the only credential checked by the 'exactmetrics_connect_process' AJAX endpoint — which has no capability check, no nonce…

PLUGIN ExactMetrics – Google Analytics Dashboard for WordPress (Website Stats Plugin)

CVE-2026-5464

HIGH CVSS 7.2 2026-04-23
Open Full Technical Breakdown
Threat Entry Updated 2026-04-22

CVE-2026-1993 - ExactMetrics – Google Analytics Dashboard for WordPress (Website Stats Plugin)

The ExactMetrics – Google Analytics Dashboard for WordPress plugin is vulnerable to Improper Privilege Management in versions 7.1.0 through 9.0.2. This is due to the `update_settings()` function accepting arbitrary plugin setting names without a whitelist of allowed settings. This makes it possible for authenticated attackers with the `exactmetrics_save_settings` capability to modify any plugin setting, including the `save_settings` option that controls which user roles have access to plugin functionality. The admin intended to delegate configuration access to a trusted user, not enable that user to delegate access to everyone. By setting…

PLUGIN ExactMetrics – Google Analytics Dashboard for WordPress (Website Stats Plugin)

CVE-2026-1993

HIGH CVSS 8.8 2026-03-11
Open Full Technical Breakdown
Threat Entry Updated 2026-04-22

CVE-2026-1992 - ExactMetrics – Google Analytics Dashboard for WordPress (Website Stats Plugin)

The ExactMetrics – Google Analytics Dashboard for WordPress plugin is vulnerable to Insecure Direct Object Reference in versions 8.6.0 through 9.0.2. This is due to the `store_settings()` method in the `ExactMetrics_Onboarding` class accepting a user-supplied `triggered_by` parameter that is used instead of the current user's ID to check permissions. This makes it possible for authenticated attackers with the `exactmetrics_save_settings` capability to bypass the `install_plugins` capability check by specifying an administrator's user ID in the `triggered_by` parameter, allowing them to install arbitrary plugins and achieve Remote Code Execution. This vulnerability only…

PLUGIN ExactMetrics – Google Analytics Dashboard for WordPress (Website Stats Plugin)

CVE-2026-1992

HIGH CVSS 8.8 2026-03-11
Open Full Technical Breakdown
Scroll to top