Threat Entry Updated 2026-03-11

CVE-2026-1993 - Google Analytics Dashboard For Plugin

The ExactMetrics – Google Analytics Dashboard for WordPress plugin is vulnerable to Improper Privilege Management in versions 7.1.0 through 9.0.2. This is due to the `update_settings()` function accepting arbitrary plugin setting names without a whitelist of allowed settings. This makes it possible for authenticated attackers with the `exactmetrics_save_settings` capability to modify any plugin setting, including the `save_settings` option that controls which user roles have access to plugin functionality. The admin intended to delegate configuration access to a trusted user, not enable that user to delegate access to everyone. By setting…

PLUGIN Google Analytics Dashboard For

CVE-2026-1993

HIGH CVSS 8.8 2026-03-11

Risk Score

Open Full Technical Breakdown

Threat Entry Updated 2026-03-11

CVE-2026-1992 - Google Analytics Dashboard For Plugin

The ExactMetrics – Google Analytics Dashboard for WordPress plugin is vulnerable to Insecure Direct Object Reference in versions 8.6.0 through 9.0.2. This is due to the `store_settings()` method in the `ExactMetrics_Onboarding` class accepting a user-supplied `triggered_by` parameter that is used instead of the current user's ID to check permissions. This makes it possible for authenticated attackers with the `exactmetrics_save_settings` capability to bypass the `install_plugins` capability check by specifying an administrator's user ID in the `triggered_by` parameter, allowing them to install arbitrary plugins and achieve Remote Code Execution. This vulnerability only…

PLUGIN Google Analytics Dashboard For

CVE-2026-1992

HIGH CVSS 8.8 2026-03-11

Risk Score

Open Full Technical Breakdown