CVE-2026-5371: Unauthorized Access in MonsterInsights WordPress Plugin

The primary impact of CVE-2026-5371 is the unauthorized access and potential misuse of Google OAuth access tokens. An attacker who exploits this vulnerability could gain access to sensitive data associated with the website's Google Analytics and Google Ads accounts. This could include user data, campaign performance metrics, and potentially even billing information. The ability to reset the Google Ads integration further amplifies the impact, allowing an attacker to disrupt advertising campaigns and potentially redirect funds. While the vulnerability requires authentication, the low access level needed (Subscriber) significantly broadens the attack surface.

1. 已保留2026-04-01
2. 发布日期2026-05-12
3. 修改日期2026-05-13
4. EPSS 更新日期2026-05-14

The primary mitigation for CVE-2026-5371 is to immediately upgrade the MonsterInsights plugin to version 10.1.3 or later. If upgrading is not immediately feasible due to compatibility issues or breaking changes, consider temporarily restricting access to the getadsaccesstoken() and resetexperience() functions. While not a complete fix, this can limit the attacker's ability to exploit the vulnerability. Review WordPress user roles and permissions to ensure that only necessary users have access. Monitor WordPress logs for suspicious activity related to Google OAuth authentication. After upgrading, confirm the fix by attempting to access the Google Ads integration with a Subscriber-level user account and verifying that access is denied.