ExactMetrics Google Analytics Dashboard for WordPress Insecure Direct Object Reference Vulnerability Allowing Arbitrary Plugin Installation

A vulnerability exists in the ExactMetrics – Google Analytics Dashboard for WordPress plugin, specifically in versions 8.6.0 to 9.0.2. The issue is an Insecure Direct Object Reference (IDOR) that allows authenticated attackers with the 'exactmetrics_save_settings' capability to bypass permission checks. The vulnerability arises because the 'store_settings()' method in the 'ExactMetrics_Onboarding' class uses a user-supplied 'triggered_by' parameter for permission validation, instead of the current user's ID. This flaw enables attackers to specify an administrator's user ID, bypassing the 'install_plugins' capability check, and potentially leading to the installation of malicious plugins that could execute arbitrary code. Exploitation requires that the administrator has granted permission to other user roles to view reports.

Impact

Successful exploitation allows authenticated users to bypass authorization checks, leading to the installation of arbitrary plugins, which could be used to execute malicious code on the site.

Reproduction

To reproduce this vulnerability, an authenticated user with the 'exactmetrics_save_settings' capability can send a request to the WordPress REST API 'exactmetrics/v1/onboarding/settings' endpoint. The request must include a 'settings' parameter with the desired plugin installation details and a 'triggered_by' parameter set to an administrator's user ID. This request will bypass the normal permission checks and allow the installation of specified plugins.

Remediation

Users are advised to update the ExactMetrics – Google Analytics Dashboard for WordPress plugin to version 9.0.3 or later.