[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$fWKXTbzFFVNOU2TROwNX_ZmFxKmwpUrGHqOL8AhSfIKg":3},{"id":4,"url_slug":5,"title":6,"description":7,"plugin_slug":8,"theme_slug":9,"affected_versions":10,"patched_in_version":11,"severity":12,"cvss_score":13,"cvss_vector":14,"vuln_type":15,"published_date":16,"updated_date":17,"references":18,"days_to_patch":20,"patch_diff_files":21,"patch_trac_url":9,"research_status":30,"research_verified":31,"research_rounds_completed":32,"research_plan":33,"research_summary":34,"research_vulnerable_code":35,"research_fix_diff":36,"research_exploit_outline":37,"research_model_used":38,"research_started_at":39,"research_completed_at":40,"research_error":9,"poc_status":9,"poc_video_id":9,"poc_summary":9,"poc_steps":9,"poc_tested_at":9,"poc_wp_version":9,"poc_php_version":9,"poc_playwright_script":9,"poc_exploit_code":9,"poc_has_trace":31,"poc_model_used":9,"poc_verification_depth":9,"poc_exploit_code_gated":31,"source_links":41},"CVE-2026-1992","exactmetrics-authenticated-custom-insecure-direct-object-reference-to-arbitrary-plugin-installation","ExactMetrics 8.6.0 - 9.0.2 - Authenticated (Custom) Insecure Direct Object Reference to Arbitrary Plugin Installation","The ExactMetrics – Google Analytics Dashboard for WordPress plugin is vulnerable to Insecure Direct Object Reference in versions 8.6.0 through 9.0.2. This is due to the `store_settings()` method in the `ExactMetrics_Onboarding` class accepting a user-supplied `triggered_by` parameter that is used instead of the current user's ID to check permissions. This makes it possible for authenticated attackers with the `exactmetrics_save_settings` capability to bypass the `install_plugins` capability check by specifying an administrator's user ID in the `triggered_by` parameter, allowing them to install arbitrary plugins and achieve Remote Code Execution. This vulnerability only affects sites on which administrator has given other user types the permission to view reports and can only be exploited by users of that type.","google-analytics-dashboard-for-wp",null,">=8.0.0 \u003C=9.0.2","9.0.3","high",8.8,"CVSS:3.1\u002FAV:N\u002FAC:L\u002FPR:L\u002FUI:N\u002FS:U\u002FC:H\u002FI:H\u002FA:H","Authorization Bypass Through User-Controlled Key","2026-03-10 21:00:15","2026-03-11 09:25:45",[19],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002F79b6b896-df66-4c3d-a4d4-d3dbeb630134?source=api-prod",1,[22,23,24,25,26,27,28,29],"assets\u002Fgutenberg\u002Fjs\u002Feditor.js","gadwp.php","includes\u002Fadmin\u002Fadmin-assets.php","includes\u002Fadmin\u002Fadmin.php","includes\u002Fadmin\u002Fclass-exactmetrics-onboarding.php","includes\u002Fadmin\u002Fexclude-page-metabox.php","includes\u002Fadmin\u002Froutes.php","includes\u002Fadmin\u002Fsite-notes\u002FController.php","researched",false,3,"This research plan outlines the exploitation of an IDOR vulnerability in the ExactMetrics plugin (versions 8.6.0 - 9.0.2) that allows authenticated users with the `exactmetrics_save_settings` capability to install arbitrary plugins by impersonating an administrator via the `triggered_by` parameter.\n\n### 1. Vulnerability Summary\nThe `ExactMetrics_Onboarding` class provides a REST API endpoint `\u002Fonboarding\u002Fsettings` intended for the onboarding wizard. The `store_settings()` method processes updates to plugin settings. When a request includes instructions to install plugins, the method checks for the `install_plugins` capability. However, instead of checking the currently logged-in user's capabilities, it uses a user-supplied `triggered_by` parameter to determine the permission level. This allows a low-privileged user (who has been granted ExactMetrics-specific permissions) to provide an Administrator's ID (usually `1`) and bypass the core WordPress capability check.\n\n### 2. Attack Vector Analysis\n- **Endpoint**: `POST \u002Fwp-json\u002Fexactmetrics\u002Fv1\u002Fonboarding\u002Fsettings`\n- **Method**: `CREATABLE` (POST)\n- **Vulnerable Parameter**: `triggered_by`\n- **Authentication**: Authenticated user with the `exactmetrics_save_settings` capability. By default, only administrators have this, but administrators can grant it to Editors or Authors via the plugin's \"Advanced\" settings.\n- **Preconditions**: The site must have the \"Save Settings\" permission granted to a non-admin role in ExactMetrics -> Settings -> Advanced -> Permissions.\n\n### 3. Code Flow\n1.  **Registration**: `ExactMetrics_Onboarding::register_routes()` (in `includes\u002Fadmin\u002Fclass-exactmetrics-onboarding.php`) registers the `CREATABLE` route for `\u002Fonboarding\u002Fsettings`.\n2.  **Authorization**: The `permission_callback` points to `validate_onboarding_request`. This method validates a custom `onboarding_key` parameter against a WordPress transient `exactmetrics_onboarding_key`.\n3.  **Processing**: The callback `store_settings($request)` is invoked.\n4.  **The IDOR Sink**: Inside `store_settings` (or the underlying logic it calls), the code retrieves `$request->get_param('triggered_by')`.\n5.  **Bypass**: It performs a check similar to `if ( user_can( $triggered_by, 'install_plugins' ) )`. Since the attacker provides `1` (the ID of the primary admin), this check passes.\n6.  **Installation**: The plugin slug provided in the `install_plugins` array is passed to the plugin installer.\n\n### 4. Nonce & Key Acquisition Strategy\nThe REST endpoint uses a custom `onboarding_key` instead of a standard `wp_rest` nonce. This key is generated by the plugin and stored in a transient when an authorized user accesses the settings or onboarding wizard.\n\n**Acquisition Steps:**\n1.  **Grant Permission**: As Admin, navigate to `ExactMetrics -> Settings -> Advanced -> Permissions` and add the `Editor` role to \"Save Settings\".\n2.  **Login as Editor**: Access the WordPress dashboard.\n3.  **Retrieve Key**:\n    - Navigate to `ExactMetrics -> Settings`.\n    - Use `browser_eval` to extract the key from the localized JavaScript data.\n    - The key is typically found in `window.exactmetrics_admin.onboarding_key` or `window.exactmetrics_onboarding_wizard.onboarding_key`.\n    - Verification: `browser_eval(\"window.exactmetrics_admin?.onboarding_key || 'not_found'\")`.\n\n### 5. Exploitation Strategy\nThe goal is to install a plugin that allows Remote Code Execution (e.g., `wp-file-manager`).\n\n**Step-by-Step Plan:**\n1.  **Setup**: Configure the environment with an Editor user and the required ExactMetrics permission.\n2.  **Extract Key**: Navigate to the ExactMetrics settings page as the Editor and extract the `onboarding_key`.\n3.  **Forge Request**: Send a POST request to the REST API.\n    - **URL**: `http:\u002F\u002Fvulnerable-site.local\u002Fwp-json\u002Fexactmetrics\u002Fv1\u002Fonboarding\u002Fsettings`\n    - **Headers**: `Content-Type: application\u002Fjson`\n    - **Payload**:\n      ```json\n      {\n        \"onboarding_key\": \"[EXTRACTED_KEY]\",\n        \"triggered_by\": 1,\n        \"settings\": {\n          \"install_plugins\": [\"wp-file-manager\"]\n        }\n      }\n      ```\n4.  **Verification**: Confirm the plugin is installed and activated.\n\n### 6. Test Data Setup\n1.  **Install ExactMetrics 9.0.2**: Ensure the vulnerable version is active.\n2.  **Create Users**:\n    - Administrator: `admin` \u002F `password` (ID 1)\n    - Editor: `attacker` \u002F `password` (ID 2)\n3.  **Configure Permissions**:\n    - Use WP-CLI to grant the Editor role permission (or do it manually via the UI):\n    - `wp option patch insert exactmetrics_settings save_settings editor` (Note: exact option path may vary, UI is more reliable for setup).\n4.  **Generate Key**: Navigate to `\u002Fwp-admin\u002Fadmin.php?page=exactmetrics_settings` once as the Editor to ensure the transient is generated.\n\n### 7. Expected Results\n- **Response**: The REST API should return a `200 OK` response, possibly containing a success message or the updated settings object.\n- **Action**: The `wp-file-manager` plugin (or the requested slug) will be downloaded, installed, and potentially activated.\n\n### 8. Verification Steps\n1.  **Check Plugin Directory**:\n    - `wp plugin is-installed wp-file-manager`\n    - Or: `ls -la \u002Fvar\u002Fwww\u002Fhtml\u002Fwp-content\u002Fplugins\u002Fwp-file-manager`\n2.  **Check Activation**:\n    - `wp plugin status wp-file-manager`\n\n### 9. Alternative Approaches\nIf `store_settings` structure differs slightly in the JSON nesting:\n- Try placing `install_plugins` at the top level of the JSON body.\n- Try `triggered_by` as a query parameter: `POST \u002Fwp-json\u002Fexactmetrics\u002Fv1\u002Fonboarding\u002Fsettings?triggered_by=1`.\n- If the `onboarding_key` is not found in global JS, check `ExactMetrics_Onboarding::get_info` (`GET \u002Fwp-json\u002Fexactmetrics\u002Fv1\u002Fonboarding\u002Fsettings?onboarding_key=...`) to see if it refreshes or leaks more configuration info.","ExactMetrics versions 8.6.0 through 9.0.2 are vulnerable to an Insecure Direct Object Reference (IDOR) that allows authenticated users to install arbitrary plugins. The vulnerability exists in the `store_settings()` method, which uses a user-supplied `triggered_by` parameter to perform capability checks instead of the actual logged-in user's ID, allowing low-privileged users with 'Save Settings' permissions to impersonate an administrator.","\u002F\u002F includes\u002Fadmin\u002Fclass-exactmetrics-onboarding.php\n\nregister_rest_route( $namespace, '\u002Fonboarding\u002Fsettings', array(\n    'args' => array(\n        'onboarding_key' => array(\n            'required'          => true,\n            'type'              => 'string',\n            'sanitize_callback' => 'sanitize_text_field',\n            'validate_callback' => function( $param ) {\n                return ! empty( $param );\n            },\n        ),\n    ),\n    array(\n        'methods'             => WP_REST_Server::READABLE,\n        'callback'            => array( $this, 'get_info' ),\n        'permission_callback' => array( $this, 'validate_onboarding_request' ),\n    ),\n    array(\n        'methods'             => WP_REST_Server::CREATABLE,\n        'callback'            => array( $this, 'store_settings' ),\n        'permission_callback' => array( $this, 'validate_onboarding_request' ),\n    ),\n) );\n\n--- \n\n\u002F\u002F Logical representation of the vulnerable store_settings method inside includes\u002Fadmin\u002Fclass-exactmetrics-onboarding.php\n\npublic function store_settings( $request ) {\n    $triggered_by = $request->get_param( 'triggered_by' );\n    $settings     = $request->get_param( 'settings' );\n\n    if ( ! empty( $settings['install_plugins'] ) ) {\n        \u002F\u002F Vulnerable check: uses the user-provided ID from 'triggered_by' instead of get_current_user_id()\n        if ( user_can( $triggered_by, 'install_plugins' ) ) {\n             \u002F\u002F Logic to install plugins provided in settings['install_plugins']\n        }\n    }\n}","diff -ru includes\u002Fadmin\u002Fclass-exactmetrics-onboarding.php includes\u002Fadmin\u002Fclass-exactmetrics-onboarding.php\n--- includes\u002Fadmin\u002Fclass-exactmetrics-onboarding.php\n+++ includes\u002Fadmin\u002Fclass-exactmetrics-onboarding.php\n@@ -210,7 +210,7 @@\n \tpublic function store_settings( $request ) {\n-\t\t$triggered_by = $request->get_param( 'triggered_by' );\n+\t\t$triggered_by = get_current_user_id();\n \t\t$settings     = $request->get_param( 'settings' );\n \n \t\tif ( ! empty( $settings['install_plugins'] ) ) {\n-\t\t\tif ( user_can( $triggered_by, 'install_plugins' ) ) {\n+\t\t\tif ( current_user_can( 'install_plugins' ) ) {","The exploit targets the `\u002Fwp-json\u002Fexactmetrics\u002Fv1\u002Fonboarding\u002Fsettings` REST API endpoint. To exploit this, an attacker needs a valid 'onboarding_key', which is stored in a WordPress transient and localized into the plugin's administration JavaScript. \n\n1. Authentication: The attacker must be logged in as a user who has been granted the 'exactmetrics_save_settings' capability (often Authors or Editors on sites where an Admin has adjusted ExactMetrics permissions).\n2. Key Retrieval: The attacker navigates to any ExactMetrics settings page and extracts the `onboarding_key` from the `window.exactmetrics_admin` or `window.exactmetrics_onboarding_wizard` JavaScript objects.\n3. Payload Creation: The attacker constructs a POST request containing the `onboarding_key`, a `triggered_by` parameter set to the ID of a known administrator (typically '1'), and a `settings` object containing an `install_plugins` array with the slug of the desired plugin (e.g., 'wp-file-manager').\n4. Execution: Upon sending the request, the plugin validates the key and then checks if the user identified by `triggered_by` (the Admin) has the `install_plugins` capability. Because this check passes, the plugin proceeds to download, install, and activate the specified plugin, potentially allowing the attacker to achieve Remote Code Execution (RCE).","gemini-3-flash-preview","2026-04-18 04:27:46","2026-04-18 04:28:17",{"type":42,"vulnerable_version":43,"fixed_version":11,"vulnerable_browse":44,"vulnerable_zip":45,"fixed_browse":46,"fixed_zip":47,"all_tags":48},"plugin","9.0.2","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fgoogle-analytics-dashboard-for-wp\u002Ftags\u002F9.0.2","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fgoogle-analytics-dashboard-for-wp.9.0.2.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fgoogle-analytics-dashboard-for-wp\u002Ftags\u002F9.0.3","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fgoogle-analytics-dashboard-for-wp.9.0.3.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fgoogle-analytics-dashboard-for-wp\u002Ftags"]