Attack Vectors

CVE-2026-1992 affects ExactMetrics – Google Analytics Dashboard for WordPress (Website Stats Plugin) (slug: google-analytics-dashboard-for-wp) in versions 8.6.0 through 9.0.2. The severity is rated High (CVSS 8.8, vector CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H), meaning it can be exploited remotely with low complexity once an attacker has a valid login with the right (limited) permission in WordPress.

The primary risk is from a compromised or malicious non-admin account that can save ExactMetrics settings (i.e., has the exactmetrics_save_settings capability). In practical terms, this could include a staff account, contractor account, or an account obtained through password reuse, phishing, or another unrelated WordPress weakness.

Because no user interaction is required (UI:N), exploitation can be automated and fast. If your site allows many user accounts (e.g., marketing teams, agencies, content contributors), the likelihood of a “low-privileged account” being abused is higher.

Security Weakness

This issue is an Insecure Direct Object Reference (IDOR) in the plugin’s onboarding/settings flow. According to the published advisory, the store_settings() method in the ExactMetrics_Onboarding class accepts a user-supplied parameter (triggered_by) and uses it instead of the currently logged-in user when checking permissions.

As a result, an authenticated attacker with the ability to save ExactMetrics settings can potentially impersonate an administrator’s user ID in that parameter to bypass a WordPress capability check (specifically the check for install_plugins). This can enable arbitrary plugin installation under conditions described in the advisory.

Reference: CVE-2026-1992 record and the vendor/community write-up: Wordfence advisory.

Technical or Business Impacts

Website takeover risk. The ability to install plugins is effectively an administrative power. If an attacker can install a malicious or vulnerable plugin, they may gain deeper control over the site, create hidden admin accounts, change site content, or establish persistence.

Data exposure and compliance impact. Once administrative control is achieved, attackers can potentially access sensitive information stored in WordPress (customer data, form submissions, internal documents, API keys), change tracking scripts, or tamper with analytics and marketing attribution. This can create reporting inaccuracies and trigger privacy/compliance concerns depending on what data is exposed.

Business disruption and brand damage. Compromised sites are often used to serve malware, spam SEO pages, or redirect visitors—directly impacting lead generation, paid campaign performance, and brand trust. Recovery typically requires emergency incident response, site cleanup, and potentially customer notifications.

Remediation: Update ExactMetrics to version 9.0.3 or newer patched versions as recommended. Also review who has access to WordPress accounts with elevated plugin or analytics-related permissions, and remove/disable unused accounts.

Similar Attacks

WordPress compromises frequently escalate from “small” permission issues to full administrative control. Two notable examples include:

CVE-2020-25213 (File Manager plugin) — a widely exploited vulnerability that enabled remote compromise through a popular plugin.
CVE-2017-1001000 (WordPress REST API content injection) — an issue that allowed unauthorized content modification on affected WordPress versions, demonstrating how authorization flaws can quickly translate into reputational and SEO damage.