Vulnerabilities and security researches forgoogle-analytics-dashboard-for-wp google-analytics-dashboard-for-wp

Apr 14, 2026

CVE, Research URL: CVE-2026-1993
Home page URL: Security reports for ExactMetrics – Google Analytics Dashboard for WordPress (Website Stats Plugin)
Application: ExactMetrics – Google Analytics Dashboard for WordPress (Website Stats Plugin)
Date: Mar 11, 2026
Research Description: The ExactMetrics – Google Analytics Dashboard for WordPress plugin is vulnerable to Improper Privilege Management in versions 7.1.0 through 9.0.2. This is due to the `update_settings()` function accepting arbitrary plugin setting names without a whitelist of allowed settings. This makes it possible for authenticated attackers with the `exactmetrics_save_settings` capability to modify any plugin setting, including the `save_settings` option that controls which user roles have access to plugin functionality. The admin intended to delegate configuration access to a trusted user, not enable that user to delegate access to everyone. By setting `save_settings` to include `subscriber`, an attacker can grant plugin administrative access to all subscribers on the site.
Affected versions: max 9.0.3.
Status: vulnerable

CVE, Research URL: CVE-2026-1992
Home page URL: Security reports for ExactMetrics – Google Analytics Dashboard for WordPress (Website Stats Plugin)
Application: ExactMetrics – Google Analytics Dashboard for WordPress (Website Stats Plugin)
Date: Mar 11, 2026
Research Description: The ExactMetrics – Google Analytics Dashboard for WordPress plugin is vulnerable to Insecure Direct Object Reference in versions 8.6.0 through 9.0.2. This is due to the `store_settings()` method in the `ExactMetrics_Onboarding` class accepting a user-supplied `triggered_by` parameter that is used instead of the current user's ID to check permissions. This makes it possible for authenticated attackers with the `exactmetrics_save_settings` capability to bypass the `install_plugins` capability check by specifying an administrator's user ID in the `triggered_by` parameter, allowing them to install arbitrary plugins and achieve Remote Code Execution. This vulnerability only affects sites on which administrator has given other user types the permission to view reports and can only be exploited by users of that type.
Affected versions: max 9.0.3.
Status: vulnerable

Jan 26, 2025

CVE, Research URL: CVE-2025-24750
Home page URL: Security reports for ExactMetrics – Google Analytics Dashboard for WordPress (Website Stats Plugin)
Application: ExactMetrics – Google Analytics Dashboard for WordPress (Website Stats Plugin)
Date: Jan 24, 2025
Research Description: Missing Authorization vulnerability in ExactMetrics ExactMetrics allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects ExactMetrics: from n/a through 8.1.0.
Affected versions: max 8.2.0.
Status: vulnerable

Jun 06, 2024

CVE, Research URL: CVE-2023-23880
Home page URL: Security reports for ExactMetrics – Google Analytics Dashboard for WordPress (Website Stats Plugin)
Application: ExactMetrics – Google Analytics Dashboard for WordPress (Website Stats Plugin)
Date: Aug 08, 2023
Research Description: Auth. (contributor+) Stored Cross-Site Scripting (XSS) vulnerability in ExactMetrics plugin <= 7.14.1 versions.
Affected versions: max 7.14.2.
Status: vulnerable

CVE, Research URL: CVE-2023-0082
Home page URL: Security reports for ExactMetrics – Google Analytics Dashboard for WordPress (Website Stats Plugin)
Application: ExactMetrics – Google Analytics Dashboard for WordPress (Website Stats Plugin)
Date: Feb 07, 2023
Research Description: The ExactMetrics WordPress plugin before 7.12.1 does not validate and escape some of its block options before outputting them back in a page/post where the block is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks.
Affected versions: max 7.12.1.
Status: vulnerable