ExactMetrics Google Analytics Dashboard for WordPress Improper Privilege Management Vulnerability Allowing Role Privilege Escalation

A vulnerability has been identified in the ExactMetrics - Google Analytics Dashboard for WordPress plugin, specifically in versions 7.1.0 to 9.0.2. The issue arises from the update_settings() function, which allows arbitrary plugin setting names to be accepted without a proper whitelist. This flaw enables authenticated attackers with the exactmetrics_save_settings capability to alter any plugin setting. Notably, they can modify the save_settings option, which determines which user roles have access to certain plugin functionalities. This could lead to unauthorized users being granted administrative access to the plugin.

Impact

Exploitation of this vulnerability could result in unauthorized role privilege escalation, allowing attackers to grant themselves or others elevated permissions within the WordPress site.

Reproduction

To reproduce this vulnerability, an authenticated user with the exactmetrics_save_settings capability can send a request to the update_settings() function with a setting name that is not whitelisted. This request can include a value that modifies the save_settings option to grant access to a broader range of user roles, such as subscribers.

Remediation

Users are advised to update the ExactMetrics - Google Analytics Dashboard for WordPress plugin to version 9.0.3 or a newer patched version.