ExactMetrics WordPress Plugin Unauthorized Arbitrary Plugin Installation and Activation Vulnerability

A vulnerability exists in the ExactMetrics – Google Analytics Dashboard for WordPress (Website Stats Plugin) plugin, affecting all versions through 9.1.2. The issue allows unauthorized users to install and activate arbitrary plugins. This vulnerability arises because the reports page exposes the 'onboarding_key' transient to any user with the 'exactmetrics_view_dashboard' capability. This key is crucial for accessing the '/wp-json/exactmetrics/v1/onboarding/connect-url' REST endpoint, which provides a one-time hash (OTH) token. The OTH token is the only credential required by the 'exactmetrics_connect_process' AJAX endpoint, which lacks capability checks and nonce verification, and allows the submission of plugin ZIP URLs for installation and activation. Consequently, authenticated attackers with Editor-level access or higher, who can view the reports, can exploit this vulnerability to install and activate plugins from malicious URLs, potentially leading to remote code execution.

Impact

Exploitation of this vulnerability allows for unauthorized installation and activation of plugins, which could be used to execute arbitrary code on the server.

Reproduction

To reproduce this vulnerability, an authenticated user with Editor-level access or higher must be granted the 'exactmetrics_view_dashboard' capability. Once this is established, the user can access the reports page, where the 'onboarding_key' transient is exposed. This key can be used to request a one-time hash token from the '/wp-json/exactmetrics/v1/onboarding/connect-url' endpoint. With this token, the user can then call the 'exactmetrics_connect_process' AJAX endpoint, providing a URL to a ZIP file of a malicious plugin. The requested plugin will be downloaded, installed, and activated on the WordPress site.

Remediation

Users are advised to update the ExactMetrics WordPress plugin to version 9.1.3 or later.