If your WordPress website uses ExactMetrics to track visitor stats, an attacker may be able to silently install malicious software on your site — no password required.
Who's at Risk — and How Bad Is It?
ExactMetrics — formerly known as Google Analytics Dashboard for WP — is one of the most widely installed analytics plugins in the WordPress ecosystem, active on over 1 million websites worldwide. It's used by bloggers, small business owners, e-commerce stores, news sites, and enterprise marketing teams who want to see their Google Analytics data without leaving WordPress.
A newly disclosed vulnerability, tracked as CVE-2026-5464, affects every version of the plugin up to and including 9.1.2. That means the overwhelming majority of ExactMetrics users are currently exposed. The real-world impact ranges from a defaced homepage all the way up to a fully compromised server — stolen customer data, injected payment skimmers, ransomware, and beyond. If you run a site that collects emails, processes orders, or stores any user information, this is your problem too.
How the Attack Works — In Plain English
Imagine you work at a company and there's a master key to the building hanging on a corkboard in a conference room. The corkboard is supposed to be for senior staff only — but the lock on that room is broken, so anyone with even a basic visitor badge can walk in and read the key's serial number. Once they have that number, they can go to the front desk and claim a special one-time key that opens every door in the building — including the server room. That's essentially what's happening here.
ExactMetrics has a setup process called "onboarding" — a wizard that walks site owners through connecting their WordPress site to Google Analytics. Part of that process uses a secret temporary code, called an onboarding_key, to authorize the setup steps. The problem is that this secret code is visible to anyone who has even the most basic analytics-viewing permission on the site. That's a very low bar — think a marketing intern who was given read-only access just to check traffic numbers. They were never supposed to be able to change anything.
Armed with that exposed code, an attacker — whether an insider or someone who has compromised a low-privilege account — can hit a specific web address on your site to claim a one-time access token. That token then unlocks an installation routine that WordPress thinks is a legitimate, authorized action. The attacker can use it to install any plugin they choose — including malicious ones packed with backdoors, spyware, or tools that hand them full administrative control of your site. The whole chain happens quietly, in the background, with no alerts and no obvious footprint.
The Technical Anchor Security Teams Need
For researchers and defenders digging into this: the vulnerability lives in a failure of privilege separation across two REST API endpoints. The /wp-json/exactmetrics/v1/onboarding/connect-url endpoint leaks the onboarding_key transient to any principal holding the exactmetrics_view_dashboard capability — a capability granted far below administrative trust level. That key is the sole authorization gate for retrieving a one-time hash (OTH) token, which is itself the only credential checked by the exactmetrics_connect_process installation handler. There is no nonce validation, no capability re-check, and no rate limiting on the OTH endpoint. The vulnerability class is authentication bypass leading to arbitrary plugin installation, with a CVSS score of 7.2 (HIGH). Successful exploitation achieves remote code execution at the web application layer.
Has Anyone Been Attacked Yet?
As of publication, no active exploitation has been confirmed in the wild. There are no known victim campaigns, no threat actor groups attributed, and no public proof-of-concept exploit code circulating in open forums — though that situation can change rapidly once a CVE is public. The vulnerability was responsibly disclosed, and the ExactMetrics team has been notified. The disclosure timeline and the identity of the discovering researcher have not been fully publicized at the time of writing.
Security teams should treat the absence of confirmed exploitation as a window of opportunity, not a reason to wait. WordPress plugin vulnerabilities with publicly known CVE identifiers are routinely picked up by automated scanners within days of disclosure. The low complexity of this attack chain — requiring only a low-privilege account, no special tools, and a handful of HTTP requests — makes it an attractive target for opportunistic attackers and automated exploit kits alike.
What To Do Right Now — 3 Steps
-
Update ExactMetrics immediately to version 9.1.3 or later.
Log into your WordPress admin dashboard, go to Plugins → Installed Plugins, find ExactMetrics, and click Update Now. If a patched version is not yet showing in your dashboard, check the official WordPress plugin page for the latest release. Do not wait for your hosting provider to do this automatically — check manually today. -
Audit who has the
exactmetrics_view_dashboardcapability on your site.
Even after patching, it's good hygiene to know which user accounts can access your analytics dashboard. Use a plugin like User Role Editor or check your user list under Users → All Users and remove access from anyone who doesn't genuinely need it. A marketing contractor who left six months ago shouldn't still have an active account. -
Review recently installed plugins for anything unfamiliar.
Go to Plugins → Installed Plugins and look for anything you don't recognize, anything installed recently that you didn't authorize, or any plugin that is installed but not active (a common tactic to hide a backdoor until it's needed). If you find something suspicious, deactivate and delete it immediately, then change all administrative passwords and revoke active sessions using a security plugin like Wordfence or Solid Security.
CVE-2026-5464 | CVSS 7.2 HIGH | Affects ExactMetrics ≤ 9.1.2 | Category: Authentication Bypass / Remote Code Execution