The ExactMetrics – Google Analytics Dashboard for WordPress (Website Stats Plugin) plugin for WordPress is vulnerable to unauthorized arbitrary plugin installation and activation in all versions up to, and including, 9.1.2. This is due to the reports page exposing the 'onboarding_key' transient to any user with the 'exactmetrics_view_dashboard' capability. This key is the sole authorization gate for the '/wp-json/exactmetrics/v1/onboarding/connect-url' REST endpoint, which returns a one-time hash (OTH) token. This OTH token is then the only credential checked by the 'exactmetrics_connect_process' AJAX endpoint — which has no capability check, no nonce verification, and accepts an arbitrary plugin ZIP URL via the file parameter for installation and activation. This makes it possible for authenticated attackers, with Editor-level access and above granted the report viewing permission, to install and activate arbitrary plugins from attacker-controlled URLs, leading to Remote Code Execution.
ExactMetrics WordPress plugin versions up to 9.1.2 allow authenticated attackers with Editor-level access to install and activate arbitrary plugins due to exposed authorization tokens and missing capability checks. The vulnerability exploits weak credential validation in REST and AJAX endpoints, enabling unauthorized plugin installation via arbitrary ZIP URLs.
يحتوي مكون ExactMetrics – Google Analytics Dashboard for WordPress على ثغرة في الإصدارات حتى 9.1.2 تسمح للمهاجمين المصرح لهم بمستوى محرر أو أعلى بتثبيت وتفعيل مكونات إضافية تعسفية. تنشأ الثغرة من تعريض مفتاح 'onboarding_key' وعدم التحقق من القدرات في نقطة نهاية AJAX 'exactmetrics_connect_process'.
ExactMetrics WordPress plugin versions up to 9.1.2 allow authenticated attackers with Editor-level access to install and activate arbitrary plugins due to exposed authorization tokens and missing capability checks. The vulnerability exploits weak credential validation in REST and AJAX endpoints, enabling unauthorized plugin installation via arbitrary ZIP URLs.
Update ExactMetrics plugin to version 9.1.3 or later immediately. Restrict the 'exactmetrics_view_dashboard' capability to trusted administrators only. Implement Web Application Firewall (WAF) rules to monitor and block suspicious plugin installation requests. Conduct security audit of user roles and capabilities across WordPress installations.
قم بتحديث مكون ExactMetrics إلى الإصدار 9.1.3 أو أحدث فوراً. قيّد قدرة 'exactmetrics_view_dashboard' للمسؤولين الموثوقين فقط. طبّق قواعد جدار الحماية لتطبيقات الويب لمراقبة وحظر طلبات تثبيت المكونات المريبة. أجرِ تدقيق أمني لأدوار وقدرات المستخدمين عبر تثبيتات WordPress.