Cyber Resilience

CVE-2026-1992

High

Published: 11 March 2026

Published
11 March 2026
Modified
22 April 2026
KEV Added
Patch
CVSS Score v3.1 8.8 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0063 45.5th percentile
Risk Priority 55 floored blend · peak EPSS

Summary

CVE-2026-1992 is a high-severity Authorization Bypass Through User-Controlled Key (CWE-639) vulnerability in Wordpress (inferred from references). Its CVSS base score is 8.8 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 45.5th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and AC-6 (Least Privilege).

Deeper analysis

CVE-2026-1992 is an Insecure Direct Object Reference (IDOR) vulnerability, classified under CWE-639, affecting the ExactMetrics – Google Analytics Dashboard for WordPress plugin in versions 8.6.0 through 9.0.2. The issue resides in the `store_settings()` method of the `ExactMetrics_Onboarding` class, which accepts a user-supplied `triggered_by` parameter and uses it in place of the current user's ID when checking permissions. This flaw has a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H) and was published on 2026-03-11.

Authenticated attackers possessing the `exactmetrics_save_settings` capability can exploit this vulnerability to bypass the `install_plugins` capability check. By specifying an administrator's user ID in the `triggered_by` parameter, such attackers can install arbitrary plugins, potentially leading to remote code execution (RCE). Exploitation is limited to sites where administrators have granted non-administrator user types permission to view reports, and only those specific users can perform the attack.

References point to the vulnerable code at line 273 in `class-exactmetrics-onboarding.php`, a patch in changeset 3473805 of the plugin's Trac repository, and a Wordfence threat intelligence advisory detailing the issue.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

The ExactMetrics – Google Analytics Dashboard for WordPress plugin is vulnerable to Insecure Direct Object Reference in versions 8.6.0 through 9.0.2. This is due to the `store_settings()` method in the `ExactMetrics_Onboarding` class accepting a user-supplied `triggered_by` parameter that is used…

more

instead of the current user's ID to check permissions. This makes it possible for authenticated attackers with the `exactmetrics_save_settings` capability to bypass the `install_plugins` capability check by specifying an administrator's user ID in the `triggered_by` parameter, allowing them to install arbitrary plugins and achieve Remote Code Execution. This vulnerability only affects sites on which administrator has given other user types the permission to view reports and can only be exploited by users of that type.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1068 Exploitation for Privilege Escalation Privilege Escalation
Adversaries may exploit software vulnerabilities in an attempt to elevate privileges.
T1505.003 Web Shell Persistence
Adversaries may backdoor web servers with web shells to establish persistent access to systems.
Why these techniques?

IDOR authz bypass in public-facing WP plugin directly enables T1190 exploitation; bypasses capability check for priv-esc (T1068) and malicious plugin install for web shell/RCE (T1505.003).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2025-14996Shared CWE-639
CVE-2020-37094Shared CWE-639
CVE-2025-67165Shared CWE-639
CVE-2025-5947Shared CWE-639
CVE-2025-15018Shared CWE-639
CVE-2025-34436Shared CWE-639
CVE-2026-7399Shared CWE-639
CVE-2024-10497Shared CWE-639
CVE-2026-25147Shared CWE-639
CVE-2026-2414Shared CWE-639

Affected Assets

Wordpress
inferred from references and description; NVD did not file a CPE for this CVE

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

AC-3 enforces approved authorizations using the current user's identity rather than user-supplied 'triggered_by' parameters, directly preventing the IDOR permission bypass.

prevent

SI-10 requires validation of user-supplied inputs like 'triggered_by' to ensure they match the authenticated user, blocking insecure direct object references.

prevent

AC-6 applies least privilege to restrict 'exactmetrics_save_settings' capability to authorized users only, eliminating the prerequisite for exploitation on properly configured systems.

References