Introduction
A chained authorization bypass in the ExactMetrics Google Analytics Dashboard for WordPress plugin allows authenticated users with Editor level access to install and activate arbitrary plugins from attacker controlled URLs, resulting in remote code execution. With over 300,000 active installations, this vulnerability (CVE-2026-5464, CVSS 7.2) represents a meaningful risk across the WordPress ecosystem.
ExactMetrics is a widely used WordPress plugin that integrates Google Analytics reporting directly into the WordPress admin dashboard. It simplifies analytics setup and provides traffic reports without requiring users to leave their site's backend. Its large install base makes it a notable target for attackers looking to compromise WordPress sites at scale.
Technical Information
CVE-2026-5464 is classified under CWE-862 (Missing Authorization Check). The vulnerability is not a single missing check but rather a chain of three weakly protected endpoints that, when exploited in sequence, allow an attacker to go from a leaked transient value to full remote code execution.
Step 1: Reports Page Leaks the Onboarding Key
The exploitation chain begins at the ExactMetrics reports page. Any user who holds the exactmetrics_view_dashboard capability can access this page. The code in admin-assets.php (specifically around line 932 in version 9.1.1) localizes data for the frontend JavaScript and includes the onboarding_key transient. This transient is readable from the page source or the JavaScript context by any user with the dashboard viewing permission, which includes Editors who have been granted this capability.
The onboarding_key transient is the sole authorization gate for the next step in the chain.
Step 2: REST Endpoint Exchanges the Key for a One Time Hash
With the leaked onboarding_key, the attacker sends a request to:
/wp-json/exactmetrics/v1/onboarding/connect-url
This route is registered in class-exactmetrics-onboarding.php (line 109 in version 9.1.1). The permission callback for this endpoint only validates whether the provided key matches the stored transient. No WordPress capability check is performed at this stage. Upon successful validation, the endpoint returns a One Time Hash (OTH) token.
Step 3: AJAX Endpoint Installs Arbitrary Plugins Without Authorization
The final and most critical link in the chain is the exactmetrics_connect_process AJAX endpoint, defined in connect.php (lines 27 and 219 in version 9.1.1). This endpoint is registered using wp_ajax_nopriv_exactmetrics_connect_process, which means it is accessible without standard WordPress authentication. The function:
- Checks only the OTH token obtained in Step 2
- Performs no capability check
- Performs no nonce verification
- Accepts an arbitrary plugin ZIP URL via the
fileparameter - Passes that URL directly to the WordPress plugin installer for installation and activation
Endpoint Authorization Summary
| Endpoint | Auth Hook | Capability Check | Sensitive Action |
|---|---|---|---|
/onboarding/connect-url | REST API | Transient key validation only | Issues One Time Hash token |
exactmetrics_connect_process | wp_ajax_nopriv | None | Installs and activates arbitrary plugin ZIP |
The entire authorization model collapses because the transient key is exposed to users who should not have access to the onboarding flow, and the downstream endpoints treat possession of the key (and subsequently the OTH token) as sufficient proof of authorization. Since WordPress plugins execute PHP code, installing a malicious plugin ZIP from an attacker controlled URL constitutes remote code execution.
Attack Flow Summary
- Attacker authenticates as an Editor (or higher) with the
exactmetrics_view_dashboardcapability. - Attacker visits the ExactMetrics reports page and extracts the
onboarding_keytransient from the localized JavaScript data. - Attacker sends a request to
/wp-json/exactmetrics/v1/onboarding/connect-urlwith the leaked key, receiving an OTH token in response. - Attacker calls
admin-ajax.php?action=exactmetrics_connect_processwith the OTH token and afileparameter pointing to a malicious plugin ZIP hosted on an attacker controlled server. - WordPress installs and activates the malicious plugin, executing the attacker's PHP code on the server.
Affected Systems and Versions
All versions of the ExactMetrics Google Analytics Dashboard for WordPress plugin up to and including version 9.1.2 are affected. The vulnerability requires:
- An authenticated user account with at least Editor level privileges
- The
exactmetrics_view_dashboardcapability granted to that user (this is a plugin specific capability that can be assigned to non Administrator roles)
Version 9.1.3 has been released by the vendor to address this vulnerability.
References
- NVD Entry for CVE-2026-5464
- Wordfence Threat Intelligence Advisory
- Wordfence Vulnerability Detail Page
- ExactMetrics Plugin on WordPress.org
- Source: admin-assets.php (v9.1.1, line 932)
- Source: class-exactmetrics-onboarding.php (v9.1.1, line 109)
- Source: connect.php (v9.1.1, line 219)
- Source: connect.php (v9.1.1, line 27)
