216.73.216.233

CVE-2026-5488

· Published 24/04/2026 04:16 · Modified 24/04/2026 14:38

Labels: CVE-2026-5488 2026-04-24CVE-2026-5488CWE-862[email protected]

Essential information

Published
24/04/2026 04:16
Modified
24/04/2026 14:38
Author
Creator
CVSS
5.3 MEDIUM (v3.1)
CISA KEV
No
CWE
CVSS vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

CVSS metrics

Description

The ExactMetrics – Google Analytics Dashboard for WordPress plugin for WordPress is vulnerable to Missing Authorization in versions up to and including 9.1.2. This is due to missing capability checks in the get_ads_access_token() and reset_experience() AJAX handlers. While the mi-admin-nonce is localized on all admin pages (including profile.php which subscribers can access), and while other similar AJAX endpoints in the same class properly check for the exactmetrics_save_settings capability, these two endpoints only verify the nonce. This makes it possible for authenticated attackers, with subscriber-level access and above, to retrieve valid Google Ads access tokens and reset Google Ads integration settings.

NVD status

Status
Deferred — CVE has been recently published to the CVE List and has been received by the NVD.
Source
[email protected]
NVD
View on NVD

Affected products (CPE)

ProductCPE
exactmetrics / google analytics dashboard cpe:2.3:a:exactmetrics:google_analytics_dashboard:<=9.1.2:*:*:*:*:wordpress:*:*

References