CVE-2026-1992
Published: 11 March 2026
Summary
CVE-2026-1992 is a high-severity Authorization Bypass Through User-Controlled Key (CWE-639) vulnerability in Wordpress (inferred from references). Its CVSS base score is 8.8 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 45.5th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and AC-6 (Least Privilege).
Deeper analysis
CVE-2026-1992 is an Insecure Direct Object Reference (IDOR) vulnerability, classified under CWE-639, affecting the ExactMetrics – Google Analytics Dashboard for WordPress plugin in versions 8.6.0 through 9.0.2. The issue resides in the `store_settings()` method of the `ExactMetrics_Onboarding` class, which accepts a user-supplied `triggered_by` parameter and uses it in place of the current user's ID when checking permissions. This flaw has a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H) and was published on 2026-03-11.
Authenticated attackers possessing the `exactmetrics_save_settings` capability can exploit this vulnerability to bypass the `install_plugins` capability check. By specifying an administrator's user ID in the `triggered_by` parameter, such attackers can install arbitrary plugins, potentially leading to remote code execution (RCE). Exploitation is limited to sites where administrators have granted non-administrator user types permission to view reports, and only those specific users can perform the attack.
References point to the vulnerable code at line 273 in `class-exactmetrics-onboarding.php`, a patch in changeset 3473805 of the plugin's Trac repository, and a Wordfence threat intelligence advisory detailing the issue.
OWASP Top 10 for Web (2025)
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-11127
Vulnerability details
The ExactMetrics – Google Analytics Dashboard for WordPress plugin is vulnerable to Insecure Direct Object Reference in versions 8.6.0 through 9.0.2. This is due to the `store_settings()` method in the `ExactMetrics_Onboarding` class accepting a user-supplied `triggered_by` parameter that is used…
more
instead of the current user's ID to check permissions. This makes it possible for authenticated attackers with the `exactmetrics_save_settings` capability to bypass the `install_plugins` capability check by specifying an administrator's user ID in the `triggered_by` parameter, allowing them to install arbitrary plugins and achieve Remote Code Execution. This vulnerability only affects sites on which administrator has given other user types the permission to view reports and can only be exploited by users of that type.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
IDOR authz bypass in public-facing WP plugin directly enables T1190 exploitation; bypasses capability check for priv-esc (T1068) and malicious plugin install for web shell/RCE (T1505.003).
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
AC-3 enforces approved authorizations using the current user's identity rather than user-supplied 'triggered_by' parameters, directly preventing the IDOR permission bypass.
SI-10 requires validation of user-supplied inputs like 'triggered_by' to ensure they match the authenticated user, blocking insecure direct object references.
AC-6 applies least privilege to restrict 'exactmetrics_save_settings' capability to authorized users only, eliminating the prerequisite for exploitation on properly configured systems.