CVE-2026-5371 affects MonsterInsights and it is a missing authorization vulnerability that turns a low privilege WordPress account into a bridge for cross platform credential theft. The issue is not limited to reading plugin settings. It allows a Subscriber to obtain a live Google OAuth access token that was granted during the site owner’s Google onboarding flow, and it also allows the same low privilege user to reset the Google Ads integration state. That combination creates both confidentiality and integrity impact. The token is a portable bearer credential which means it can be used outside WordPress against Google APIs until it expires or is revoked. With a reported install base above two million, the exposure is significant because many sites have public registration and routinely have low privilege accounts that are easy to obtain.
| CVE | CVE-2026-5371 |
| Plugin Version | MonsterInsights – Google Analytics Dashboard for WordPress (Website Stats Made Easy) |
| All Time | 262 999 740 |
| Active installations | 2 000 000+ |
| Publicly Published | May 12, 2026 |
| Last Updated | May 12, 2026 |
| Researcher | Dmitrii Ignatyev |
| PoC | Yes |
| Exploit | No |
| Reference | https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-5371 https://www.wordfence.com/threat-intel/vulnerabilities/wordpress-plugins/google-analytics-for-wordpress/monsterinsights-1012-missing-authorization-to-authenticated-subscriber-sensitive-information-exposure-and-plugin-integration-reset |
| Plugin Security Certification by CleanTalk |  |
| Logo of the plugin |  |
PSC by CleantalkJoin the community of developers who prioritize security. Highlight your plugin in the WordPress catalog.
Timeline
| April 1, 2026 | Plugin testing and vulnerability detection in the Ultimate Member have been completed |
| April 1, 2026 | I contacted the author of the plugin and provided a vulnerability PoC with a description and recommendations for fixing |
| May 12, 2026 | Registered CVE-2026-5371 |
Discovery of the Vulnerability
The vulnerable surface is a pair of AJAX handlers such as monsterinsights_ads_get_token and monsterinsights_ads_reset_experience. Both handlers validate only a nonce and do not enforce a capability check that would restrict access to administrators or to a MonsterInsights specific permission like monsterinsights_save_settings. The exploit becomes practical because the plugin exposes the mi admin nonce in wp admin contexts reachable by low privilege users, including profile.php. Once a Subscriber can read the nonce, they can call admin-ajax directly and the server will return the token or perform the reset without verifying that the caller is authorized to manage integrations. The core mistake is treating a nonce as if it were permission. A nonce is only an intent signal. It does not answer the authorization question. Without current_user_can checks, any user who can obtain the nonce becomes effectively trusted for actions that should be administrative.
Understanding of Missing Auth attack’s
This class of vulnerability is particularly severe because it leaks third party credentials rather than local WordPress data. In WordPress ecosystems, plugins often integrate with external services and store tokens that represent a business account. When access to those tokens is gated only by a nonce, the plugin effectively downgrades a high value credential into data visible to low privilege roles. In real deployments, a Subscriber can be created through registration or obtained through phishing, so the threat model is realistic. Once a Google OAuth token is leaked, the attacker can query APIs that are not even part of the WordPress plugin UI. That is why this is a cross boundary incident. A compromised low privilege user can jump from WordPress into Google services and enumerate account inventory, sites, and profiles. It is also not only confidentiality. The reset endpoint introduces integrity and availability impact because it lets the attacker break the Google Ads onboarding state and disrupt reporting and ad workflows. This is security control inversion where a plugin designed to provide analytics becomes a mechanism for credential theft and integration sabotage.
Exploiting the Missing Auth Vulnerability
To exploit CVE-2026-5371, an attacker with Subscriber+ cookies:
POC:
MI_ADMIN_NONCE -> from profile.php monsterinsights.nonce curl -i -sS -b cookies_subscriber.txt -X POST 'https://victim.tld/wp-admin/admin-ajax.php' \ --data-urlencode 'action=monsterinsights_ads_get_token' \ --data-urlencode 'nonce=MI_ADMIN_NONCE' curl -i -sS -b cookies_subscriber.txt -X POST 'https://victim.tld/wp-admin/admin-ajax.php' \ --data-urlencode 'action=monsterinsights_ads_reset_experience' \ --data-urlencode 'nonce=MI_ADMIN_NONCE'____
The main risk is cross platform data exposure. A leaked token can allow an attacker to query Google APIs and obtain information that the site owner considers confidential, including analytics account structure, search console site lists, AdSense accounts, and user profile metadata, depending on the granted scopes. Even if the token is short lived, attackers can use it immediately for inventory and reconnaissance, and then pivot into targeted abuse such as phishing with accurate account context. The reset action adds operational disruption. A low privilege user can break the Google Ads experience onboarding state and cause teams to lose access to integration features until an administrator re authorizes, which can impact marketing operations and reporting continuity. Another realistic scenario is insider abuse in organizations where many staff have Subscriber or Author accounts for content collaboration. A single disgruntled user can silently exfiltrate the token and then access external resources without leaving obvious traces inside WordPress. Because the credential is valid outside WordPress, incident response becomes more complex. You must investigate Google API access logs and revoke tokens, not only clean up WordPress. That is why this vulnerability should be treated as critical credential exposure rather than a typical plugin authorization bug.
Recommendations for Improved Security
The fix requires strict capability enforcement on every handler that returns tokens or changes integration state. monsterinsights_ads_get_token and monsterinsights_ads_reset_experience must require an administrative capability such as monsterinsights_save_settings or manage_options, and they should fail closed for any user lacking that capability. The nonce should be validated as an additional CSRF control, but it must not be the only gate, and it should not be exposed to low privilege users on pages like profile.php. Token material should never be returned to the browser unless absolutely required, and if it must be returned, it should be returned only to trusted roles and should be scoped and audited. The reset endpoint should log actor, IP, and timestamp and require a deliberate confirmation flow to reduce accidental or malicious triggers. For site owners, treat exposure as a credential compromise event. Rotate and revoke Google tokens, review MonsterInsights integration status, and audit which roles can access wp-admin pages where nonces or localized scripts are printed. Limit registration and reduce the number of low privilege accounts where possible, because credential exposure becomes much easier when Subscribers are plentiful.
By taking proactive measures to address Missing Auth like CVE-2026-5371 WordPress website owners can enhance their security posture and safeguard against potential exploitation. Stay vigilant, stay secure.
#WordPressSecurity #MissingAuth #WebsiteSafety #StayProtected #HighVulnerability
Use CleanTalk solutions to improve the security of your website