Insecure Direct Object Reference in ExactMetrics Google Analytics Dashboard for WordPress

CVE-2026-1992

What is CVE-2026-1992?

The ExactMetrics – Google Analytics Dashboard for WordPress plugin is affected by an Insecure Direct Object Reference vulnerability. The vulnerability arises from the store_settings() method in the ExactMetrics_Onboarding class, which inadequately verifies user permissions by using a potentially malicious triggered_by parameter rather than the authenticated user’s ID. This flaw allows authenticated users possessing the exactmetrics_save_settings capability to bypass necessary checks, specifically the install_plugins capability, by impersonating an administrator’s user ID. Consequently, this could enable the attacker to install arbitrary plugins, leading to potential Remote Code Execution on affected WordPress sites where administrative visibility permissions have been granted to other user types.

Human OS v1.0:
Ageing Is an Unpatched Zero-Day Vulnerability.

Remediate biological technical debt. Prime Ageing uses 95% high-purity SIRT6 activation to maintain genomic integrity and bolster systemic resilience.

Deploy the Patch →

References