CVE-2026-1993
Published: 11 March 2026
Summary
CVE-2026-1993 is a high-severity Improper Privilege Management (CWE-269) vulnerability in Wordpress (inferred from references). Its CVSS base score is 8.8 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 29.7th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and AC-6 (Least Privilege).
Deeper analysis
CVE-2026-1993 is an Improper Privilege Management vulnerability (CWE-269) affecting the ExactMetrics – Google Analytics Dashboard for WordPress plugin in versions 7.1.0 through 9.0.2. The issue stems from the update_settings() function, which accepts arbitrary plugin setting names without a whitelist of allowed settings. This allows low-privileged users to modify sensitive configurations. The vulnerability has a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H), indicating high severity with network accessibility, low attack complexity, and low privileges required.
Authenticated attackers possessing the exactmetrics_save_settings capability can exploit this flaw to alter any plugin setting, including the save_settings option that governs user role access to plugin functionality. For instance, an attacker could set save_settings to include the subscriber role, effectively granting plugin administrative access to all subscribers on the site. This circumvents the admin's intent to delegate configuration access only to trusted users, enabling broad privilege escalation across the WordPress installation.
Mitigation details are reflected in WordPress plugin repository changesets, such as changeset 3473805, which patches routes.php and capabilities.php files in the google-analytics-dashboard-for-wp trunk. These updates address the lack of setting whitelisting and capability enforcement. Security practitioners should update to a patched version beyond 9.0.2, as referenced in the plugin's trac browser and Wordfence threat intelligence advisory.
OWASP Top 10 for Web (2025)
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-11129
Vulnerability details
The ExactMetrics – Google Analytics Dashboard for WordPress plugin is vulnerable to Improper Privilege Management in versions 7.1.0 through 9.0.2. This is due to the `update_settings()` function accepting arbitrary plugin setting names without a whitelist of allowed settings. This makes…
more
it possible for authenticated attackers with the `exactmetrics_save_settings` capability to modify any plugin setting, including the `save_settings` option that controls which user roles have access to plugin functionality. The admin intended to delegate configuration access to a trusted user, not enable that user to delegate access to everyone. By setting `save_settings` to include `subscriber`, an attacker can grant plugin administrative access to all subscribers on the site.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The vulnerability directly enables exploitation of improper privilege management to achieve unauthorized elevation from low-privileged authenticated access to plugin administrative capabilities.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Enforces least privilege to prevent authenticated low-privilege users with exactmetrics_save_settings capability from modifying sensitive settings like save_settings that control plugin access roles.
Requires enforcement of approved authorizations, mitigating the update_settings function's failure to restrict access to arbitrary plugin settings.
Mandates validation of information inputs to block arbitrary setting names in update_settings, directly addressing the lack of whitelisting that enables privilege escalation.