ExactMetrics Google Analytics Dashboard for WordPress Missing Authorization Vulnerability

A missing authorization vulnerability has been identified in the ExactMetrics Google Analytics Dashboard for WordPress plugin, affecting versions through 9.1.2. The issue arises from inadequate capability checks in the AJAX handlers 'get_ads_access_token()' and 'reset_experience()'. While the 'mi-admin-nonce' is available on all admin pages, including 'profile.php' which is accessible to subscribers, these two endpoints only verify the nonce without proper authorization. This flaw allows authenticated attackers with subscriber-level access or higher to obtain valid Google Ads access tokens and reset Google Ads integration settings.

Impact

Exploitation of this vulnerability could lead to unauthorized access to Google Ads integration features, allowing attackers to retrieve access tokens and modify settings without proper authorization.

Reproduction

To reproduce this vulnerability, an authenticated user with subscriber-level access or higher can send a request to the 'get_ads_access_token' or 'exactmetrics_ads_reset_experience' AJAX endpoints. These requests must include the 'mi-admin-nonce' to bypass the nonce check. Once the request is processed, the user will receive a valid Google Ads access token or a confirmation that the Google Ads experience has been reset, depending on which endpoint was accessed.

Remediation

Users can update to ExactMetrics version 9.1.3 or later, where this vulnerability has been addressed.