Cyber Posture

CVE-2026-5464

High

Published: 23 April 2026

Published
23 April 2026
Modified
23 April 2026
KEV Added
Patch
CVSS Score 7.2 CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0023 46.2th percentile
Risk Priority 15 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-5464 is a high-severity Missing Authorization (CWE-862) vulnerability in Wordpress (inferred from references). Its CVSS base score is 7.2 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 46.2th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and CM-11 (User-installed Software).

Threat & Defense at a Glance

What attackers do: exploitation maps to Exploit Public-Facing Application (T1190) and 2 other techniques. What defenders deploy: see the NIST 800-53 controls recommended below.
Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

AC-3 Access Enforcement good match
prevent

Enforces approved authorizations on REST and AJAX endpoints, directly preventing unauthorized access to the onboarding key and arbitrary plugin installation functions.

CM-11 User-installed Software good match
prevent

Monitors and controls user-installed software, blocking unauthorized plugin installations and activations from arbitrary ZIP URLs.

SI-10 Information Input Validation partial match
prevent

Validates information inputs like the arbitrary file parameter on the AJAX endpoint, mitigating acceptance of malicious plugin ZIPs.

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
attack.mitre.org →
T1105 Ingress Tool Transfer Command And Control
Adversaries may transfer tools or other files from an external system into a compromised environment.
attack.mitre.org →
T1505.003 Web Shell Persistence
Adversaries may backdoor web servers with web shells to establish persistent access to systems.
attack.mitre.org →
Why these techniques?

Vulnerability in public-facing WordPress plugin allows authenticated attackers to bypass authorization and install/activate arbitrary plugins from attacker-controlled ZIP URLs, directly enabling exploitation of the public-facing app (T1190), ingress of malicious tools/plugins (T1105), and web shell installation for RCE (T1505.003).

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

NVD Description

The ExactMetrics – Google Analytics Dashboard for WordPress (Website Stats Plugin) plugin for WordPress is vulnerable to unauthorized arbitrary plugin installation and activation in all versions up to, and including, 9.1.2. This is due to the reports page exposing the…

more

'onboarding_key' transient to any user with the 'exactmetrics_view_dashboard' capability. This key is the sole authorization gate for the '/wp-json/exactmetrics/v1/onboarding/connect-url' REST endpoint, which returns a one-time hash (OTH) token. This OTH token is then the only credential checked by the 'exactmetrics_connect_process' AJAX endpoint — which has no capability check, no nonce verification, and accepts an arbitrary plugin ZIP URL via the file parameter for installation and activation. This makes it possible for authenticated attackers, with Editor-level access and above granted the report viewing permission, to install and activate arbitrary plugins from attacker-controlled URLs, leading to Remote Code Execution.

Deeper analysisAI

CVE-2026-5464 is a vulnerability in the ExactMetrics – Google Analytics Dashboard for WordPress (Website Stats Plugin) plugin for WordPress, affecting all versions up to and including 9.1.2. It enables unauthorized arbitrary plugin installation and activation due to the reports page exposing the 'onboarding_key' transient to any user with the 'exactmetrics_view_dashboard' capability. This key acts as the sole authorization for the '/wp-json/exactmetrics/v1/onboarding/connect-url' REST endpoint, which returns a one-time hash (OTH) token. The 'exactmetrics_connect_process' AJAX endpoint then accepts this token without capability checks, nonce verification, or restrictions, allowing an arbitrary plugin ZIP URL via the file parameter for installation and activation.

Authenticated attackers with Editor-level access or higher, granted the 'exactmetrics_view_dashboard' capability, can exploit this by accessing the exposed onboarding key, obtaining the OTH token, and submitting an attacker-controlled plugin ZIP to the AJAX endpoint. Successful exploitation leads to installation and activation of arbitrary plugins, resulting in remote code execution on the WordPress site. The issue carries a CVSS v3.1 base score of 7.2 (AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H) and maps to CWE-862 (Missing Authorization).

Advisories and code references, including Wordfence threat intelligence (https://www.wordfence.com/threat-intel/vulnerabilities/id/09127277-9e71-484d-b674-52af693c995b?source=cve) and WordPress plugin trac links to vulnerable files such as admin-assets.php (line 932), class-exactmetrics-onboarding.php (line 109), and connect.php (lines 27 and 219), provide details on the affected code paths for analysis and mitigation planning.

Details

CWE(s)
CWE-862

Affected Products

Wordpress
inferred from references and description; NVD did not file a CPE for this CVE

CVEs Like This One

CVE-2025-10690Shared CWE-862
CVE-2025-5394Shared CWE-862
CVE-2025-1307Shared CWE-862
CVE-2026-1720Shared CWE-862
CVE-2025-8418Shared CWE-862
CVE-2026-5294Shared CWE-862
CVE-2025-12975Shared CWE-862
CVE-2026-25242Shared CWE-862
CVE-2026-4326Shared CWE-862
CVE-2026-40189Shared CWE-862

References