Cyber Resilience

CVE-2026-1993

High

Published: 11 March 2026

Published
11 March 2026
Modified
22 April 2026
KEV Added
Patch
CVSS Score v3.1 8.8 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0038 29.7th percentile
Risk Priority 55 floored blend · peak EPSS

Summary

CVE-2026-1993 is a high-severity Improper Privilege Management (CWE-269) vulnerability in Wordpress (inferred from references). Its CVSS base score is 8.8 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 29.7th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and AC-6 (Least Privilege).

Deeper analysis

CVE-2026-1993 is an Improper Privilege Management vulnerability (CWE-269) affecting the ExactMetrics – Google Analytics Dashboard for WordPress plugin in versions 7.1.0 through 9.0.2. The issue stems from the update_settings() function, which accepts arbitrary plugin setting names without a whitelist of allowed settings. This allows low-privileged users to modify sensitive configurations. The vulnerability has a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H), indicating high severity with network accessibility, low attack complexity, and low privileges required.

Authenticated attackers possessing the exactmetrics_save_settings capability can exploit this flaw to alter any plugin setting, including the save_settings option that governs user role access to plugin functionality. For instance, an attacker could set save_settings to include the subscriber role, effectively granting plugin administrative access to all subscribers on the site. This circumvents the admin's intent to delegate configuration access only to trusted users, enabling broad privilege escalation across the WordPress installation.

Mitigation details are reflected in WordPress plugin repository changesets, such as changeset 3473805, which patches routes.php and capabilities.php files in the google-analytics-dashboard-for-wp trunk. These updates address the lack of setting whitelisting and capability enforcement. Security practitioners should update to a patched version beyond 9.0.2, as referenced in the plugin's trac browser and Wordfence threat intelligence advisory.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

The ExactMetrics – Google Analytics Dashboard for WordPress plugin is vulnerable to Improper Privilege Management in versions 7.1.0 through 9.0.2. This is due to the `update_settings()` function accepting arbitrary plugin setting names without a whitelist of allowed settings. This makes…

more

it possible for authenticated attackers with the `exactmetrics_save_settings` capability to modify any plugin setting, including the `save_settings` option that controls which user roles have access to plugin functionality. The admin intended to delegate configuration access to a trusted user, not enable that user to delegate access to everyone. By setting `save_settings` to include `subscriber`, an attacker can grant plugin administrative access to all subscribers on the site.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1068 Exploitation for Privilege Escalation Privilege Escalation
Adversaries may exploit software vulnerabilities in an attempt to elevate privileges.
Why these techniques?

The vulnerability directly enables exploitation of improper privilege management to achieve unauthorized elevation from low-privileged authenticated access to plugin administrative capabilities.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-23896Shared CWE-269
CVE-2025-27639Shared CWE-269
CVE-2025-8899Shared CWE-269
CVE-2025-26705Shared CWE-269
CVE-2015-10139Shared CWE-269
CVE-2026-8972Shared CWE-269
CVE-2025-0893Shared CWE-269
CVE-2026-6769Shared CWE-269
CVE-2025-2858Shared CWE-269
CVE-2025-48613Shared CWE-269

Affected Assets

Wordpress
inferred from references and description; NVD did not file a CPE for this CVE

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Enforces least privilege to prevent authenticated low-privilege users with exactmetrics_save_settings capability from modifying sensitive settings like save_settings that control plugin access roles.

prevent

Requires enforcement of approved authorizations, mitigating the update_settings function's failure to restrict access to arbitrary plugin settings.

prevent

Mandates validation of information inputs to block arbitrary setting names in update_settings, directly addressing the lack of whitelisting that enables privilege escalation.

References