The ExactMetrics plugin for WordPress suffers from a missing authorization vulnerability (CWE-862) that enables arbitrary plugin installation and activation. The reports page exposes an 'onboarding_key' transient to users with the 'exactmetrics_view_dashboard' capability. This key authorizes the '/wp-json/exactmetrics/v1/onboarding/connect-url' REST endpoint, which returns a one-time hash token. This token is the sole credential checked by the 'exactmetrics_connect_process' AJAX endpoint, which lacks capability checks and nonce verification and accepts an arbitrary plugin ZIP URL for installation and activation. Consequently, authenticated users with Editor-level access or higher who can view reports can exploit this to install and activate plugins from attacker-controlled URLs, potentially leading to remote code execution.

Successful exploitation allows attackers with Editor-level or higher permissions and the 'exactmetrics_view_dashboard' capability to install and activate arbitrary plugins on the WordPress site. This can lead to remote code execution, compromising the confidentiality, integrity, and availability of the affected system. The CVSS v3.1 base score is 7.2, indicating high severity with network attack vector, low attack complexity, and high impact on confidentiality, integrity, and availability.

Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. No official fix or patch links are provided at this time. Until a patch is available, restrict the 'exactmetrics_view_dashboard' capability to trusted users only, and consider disabling or removing the ExactMetrics plugin if possible to prevent exploitation.