{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/tags/cve-2026-5464/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cves":[{"cvss":7.2,"id":"CVE-2026-5464"}],"_cs_exploited":false,"_cs_products":["ExactMetrics – Google Analytics Dashboard for WordPress (Website Stats Plugin)"],"_cs_severities":["critical"],"_cs_tags":["wordpress","plugin","rce","cve-2026-5464","exactmetrics"],"_cs_type":"advisory","_cs_vendors":["WordPress"],"content_html":"\u003cp\u003eA critical vulnerability, CVE-2026-5464, exists in the ExactMetrics – Google Analytics Dashboard for WordPress (Website Stats Plugin) plugin, affecting all versions up to and including 9.1.2. The vulnerability allows authenticated attackers with Editor-level access or higher, who also possess the \u0026rsquo;exactmetrics_view_dashboard\u0026rsquo; capability, to install and activate arbitrary WordPress plugins from attacker-controlled URLs. This is possible due to the exposure of the \u0026lsquo;onboarding_key\u0026rsquo; transient and the lack of proper authorization checks on the \u0026rsquo;exactmetrics_connect_process\u0026rsquo; AJAX endpoint. Successful exploitation can lead to Remote Code Execution (RCE) on the target WordPress site. This poses a significant risk to websites using the vulnerable plugin, as attackers can inject malicious code and gain full control of the affected system.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains authenticated access to a WordPress site as an Editor or Administrator.\u003c/li\u003e\n\u003cli\u003eThe attacker obtains the \u0026lsquo;onboarding_key\u0026rsquo; by accessing the reports page, which exposes the transient value to users with the \u0026rsquo;exactmetrics_view_dashboard\u0026rsquo; capability.\u003c/li\u003e\n\u003cli\u003eThe attacker uses the \u0026lsquo;onboarding_key\u0026rsquo; to access the \u0026lsquo;/wp-json/exactmetrics/v1/onboarding/connect-url\u0026rsquo; REST endpoint, receiving a one-time hash (OTH) token.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious plugin ZIP file hosted on an attacker-controlled server.\u003c/li\u003e\n\u003cli\u003eThe attacker sends a request to the \u0026rsquo;exactmetrics_connect_process\u0026rsquo; AJAX endpoint, providing the OTH token and the URL of the malicious plugin ZIP file via the \u0026lsquo;file\u0026rsquo; parameter. This endpoint lacks capability checks and nonce verification.\u003c/li\u003e\n\u003cli\u003eThe ExactMetrics plugin downloads the malicious plugin ZIP file from the attacker-controlled URL.\u003c/li\u003e\n\u003cli\u003eThe ExactMetrics plugin installs and activates the malicious plugin.\u003c/li\u003e\n\u003cli\u003eThe attacker gains Remote Code Execution on the WordPress server through the installed malicious plugin.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2026-5464 allows attackers to install arbitrary plugins on vulnerable WordPress sites, leading to Remote Code Execution. This grants the attacker complete control over the compromised website, enabling them to inject malicious code, deface the site, steal sensitive data, or use the site for further malicious activities. The number of affected websites depends on the widespread use of the ExactMetrics plugin. Organizations using this plugin are at risk of significant data breaches and reputational damage.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade the ExactMetrics – Google Analytics Dashboard for WordPress (Website Stats Plugin) plugin to the latest version, which patches CVE-2026-5464.\u003c/li\u003e\n\u003cli\u003eMonitor web server logs for suspicious requests to the \u0026lsquo;/wp-json/exactmetrics/v1/onboarding/connect-url\u0026rsquo; REST endpoint and the \u0026rsquo;exactmetrics_connect_process\u0026rsquo; AJAX endpoint. Implement the Sigma rule provided below to detect exploitation attempts.\u003c/li\u003e\n\u003cli\u003eImplement strong password policies and multi-factor authentication to prevent unauthorized access to WordPress accounts.\u003c/li\u003e\n\u003cli\u003eRestrict the \u0026rsquo;exactmetrics_view_dashboard\u0026rsquo; capability to only the necessary users.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-02T12:00:00Z","date_published":"2024-01-02T12:00:00Z","id":"/briefs/2024-01-02-exactmetrics-rce/","summary":"The ExactMetrics plugin for WordPress is vulnerable to unauthorized arbitrary plugin installation and activation via a REST API endpoint, potentially leading to remote code execution by authenticated attackers.","title":"ExactMetrics WordPress Plugin Vulnerability Leads to Remote Code Execution","url":"https://feed.craftedsignal.io/briefs/2024-01-02-exactmetrics-rce/"}],"language":"en","title":"CraftedSignal Threat Feed — Cve-2026-5464","version":"https://jsonfeed.org/version/1.1"}