cleantalk
Vulnerabilities and Security Researches

ExactMetrics – Google Analytics Dashboard for WordPress (Website Stats Plugin), CVE-2026-5488

CVE, Research URL

CVE-2026-5488

Home page URL

Security reports for ExactMetrics – Google Analytics Dashboard for WordPress (Website Stats Plugin)

Application

ExactMetrics – Google Analytics Dashboard for WordPress (Website Stats Plugin)

Published on
Apr 24, 2026
Research Description
The ExactMetrics – Google Analytics Dashboard for WordPress plugin for WordPress is vulnerable to Missing Authorization in versions up to and including 9.1.2. This is due to missing capability checks in the get_ads_access_token() and reset_experience() AJAX handlers. While the mi-admin-nonce is localized on all admin pages (including profile.php which subscribers can access), and while other similar AJAX endpoints in the same class properly check for the exactmetrics_save_settings capability, these two endpoints only verify the nonce. This makes it possible for authenticated attackers, with subscriber-level access and above, to retrieve valid Google Ads access tokens and reset Google Ads integration settings.
Affected versions
max 9.1.3.
Status
vulnerable
Previous vulnerability researches
WooCommerce Cart Abandonment Recovery (CVE-2026-39470) , Apr 25, 2026
WooCommerce Cart Abandonment Recovery (CVE-2024-2322) , Jun 06, 2024
New vulnerability
Restrict User Registration (CVE-2025-9892) , Apr 25, 2026
SnapWidget Social Photo Feed Widget (CVE-2025-58241) , Apr 25, 2026
Cozy Blocks – Page Builder Blocks for FSE and Gutenberg Editor, Gutenberg Blocks, WooCommerce Blocks, Post Blocks, Slider (CVE-2025-59573) , Apr 25, 2026
JoomSport – for Sports: Team & League, Football, Hockey & more (CVE-2025-7721) , Apr 25, 2026
World first Lifetime free Form Builder for WordPress (CVE-2025-58957) , Apr 25, 2026