The ExactMetrics – Google Analytics Dashboard for WordPress plugin suffers from an authorization bypass vulnerability classified as CWE-639 (Authorization Bypass Through User-Controlled Key). The vulnerability exists in versions 8.6.0 through 9.0.2 due to improper validation in the store_settings() method of the ExactMetrics_Onboarding class. Specifically, this method accepts a user-controlled 'triggered_by' parameter, which is used to verify permissions instead of the actual authenticated user's ID. This flaw allows an attacker who is authenticated and has the exactmetrics_save_settings capability—but lacks the install_plugins capability—to impersonate an administrator by specifying the administrator’s user ID in the 'triggered_by' parameter. Consequently, the attacker can bypass the install_plugins capability check, install arbitrary plugins, and execute remote code on the affected WordPress site. The vulnerability requires that the administrator has granted report-viewing permissions to other user roles, which is a prerequisite for exploitation. The attack vector is network-based, does not require user interaction beyond authentication, and can lead to full system compromise. Although no public exploits are currently known, the vulnerability’s CVSS 3.1 score of 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H) indicates a high risk due to ease of exploitation and severe impact on confidentiality, integrity, and availability.

This vulnerability poses a significant risk to organizations running WordPress sites with the ExactMetrics plugin installed, particularly those that assign report-viewing permissions to non-administrator users. Exploitation allows attackers to escalate privileges from limited roles to administrator-level control, enabling arbitrary plugin installation and remote code execution. This can lead to full site compromise, data theft, defacement, malware distribution, or use of the compromised server as a pivot point for further attacks within the network. The impact extends beyond the WordPress application to the underlying server and potentially connected systems. Organizations with high-traffic websites, e-commerce platforms, or sensitive data hosted on WordPress are at particular risk. The vulnerability undermines trust in site integrity and can cause operational disruption, reputational damage, and regulatory compliance issues.

To mitigate this vulnerability, organizations should immediately update the ExactMetrics plugin to a patched version once available. Until a patch is released, administrators should revoke report-viewing permissions from non-administrator roles to eliminate the prerequisite for exploitation. Implement strict role-based access controls (RBAC) and audit user capabilities regularly to ensure no excessive permissions are granted. Employ Web Application Firewalls (WAFs) with custom rules to detect and block requests containing suspicious 'triggered_by' parameters or attempts to manipulate user IDs. Monitor logs for unusual plugin installation activities or privilege escalations. Additionally, harden the WordPress environment by disabling plugin installations for non-administrators at the server or hosting level where possible. Regular backups and incident response plans should be in place to recover quickly if exploitation occurs.