Platform
wordpress
Component
google-analytics-dashboard-for-wp
Fixed in
9.0.3
CVE-2026-1993 describes a Privilege Escalation vulnerability affecting the ExactMetrics – Google Analytics Dashboard for WordPress plugin. This flaw allows authenticated attackers with the exactmetricssavesettings capability to modify arbitrary plugin settings, potentially granting them unauthorized access and control. The vulnerability impacts versions 7.1.0 through 9.0.2 and has been resolved in version 9.0.3.
An attacker exploiting this vulnerability could gain elevated privileges within the WordPress environment by manipulating plugin settings. Specifically, they can modify the save_settings option, which controls which user roles have access to ExactMetrics functionality. This could allow a low-privilege user to impersonate an administrator, access sensitive data, or even execute arbitrary code if the plugin has other vulnerabilities. The impact extends beyond data exposure; an attacker could completely compromise the website's analytics and reporting capabilities, potentially leading to inaccurate data and flawed business decisions. This vulnerability highlights the importance of carefully controlling plugin settings and user permissions within WordPress installations.
CVE-2026-1993 was publicly disclosed on 2026-03-10. There is no indication of active exploitation at this time, and it is not currently listed on the CISA KEV catalog. Public proof-of-concept exploits are not yet available, but the vulnerability's nature suggests it could be relatively easy to exploit once a PoC is developed.
Exploit Status
EPSS
0.05% (14% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2026-1993 is to immediately upgrade the ExactMetrics plugin to version 9.0.3 or later. If upgrading is not immediately feasible due to compatibility issues or breaking changes, consider restricting access to the plugin’s settings page to only administrators. Implement strict role-based access control within WordPress to limit the exactmetricssavesettings capability to trusted users. Regularly review plugin settings and user permissions to identify and remediate any misconfigurations. After upgrading, confirm the fix by verifying that users without administrative privileges cannot modify plugin settings.
Update to version 9.0.3, or a newer patched version
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2026-1993 is a HIGH severity vulnerability in the ExactMetrics WordPress plugin allowing attackers to modify plugin settings and potentially gain unauthorized access.
You are affected if you are using ExactMetrics versions 7.1.0 through 9.0.2. Upgrade to 9.0.3 or later to mitigate the risk.
Upgrade the ExactMetrics plugin to version 9.0.3 or later. As a temporary workaround, restrict access to plugin settings to administrators only.
There is currently no indication of active exploitation, but the vulnerability's nature suggests it could be exploited once a proof-of-concept is available.
Refer to the official ExactMetrics website and WordPress plugin repository for the latest security advisory and update information.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.