216.73.216.205

CVE-2026-1993

· Published 11/03/2026 10:16 · Modified 11/03/2026 13:52

Labels: CVE-2026-1993 2026-03-11CVE-2026-1993CWE-269[email protected]

Essential information

Published
11/03/2026 10:16
Modified
11/03/2026 13:52
Author
Creator
CVSS
8.8 HIGH (v3.1)
CISA KEV
No
CWE
CVSS vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CVSS metrics

Description

The ExactMetrics – Google Analytics Dashboard for WordPress plugin is vulnerable to Improper Privilege Management in versions 7.1.0 through 9.0.2. This is due to the `update_settings()` function accepting arbitrary plugin setting names without a whitelist of allowed settings. This makes it possible for authenticated attackers with the `exactmetrics_save_settings` capability to modify any plugin setting, including the `save_settings` option that controls which user roles have access to plugin functionality. The admin intended to delegate configuration access to a trusted user, not enable that user to delegate access to everyone. By setting `save_settings` to include `subscriber`, an attacker can grant plugin administrative access to all subscribers on the site.

NVD status

Status
Awaiting Analysis — CVE has been recently published to the CVE List and has been received by the NVD.
Source
[email protected]
NVD
View on NVD

Affected products (CPE)

ProductCPE
exactmetrics / google analytics dashboard for wordpress cpe:2.3:a:exactmetrics:google_analytics_dashboard_for_wordpress:7.1.0-9.0.2:*:*:*:*:wordpress:*:*

References