MonsterInsights WordPress Plugin Exposes Google OAuth Tokens
The MonsterInsights – Google Analytics Dashboard for WordPress plugin, specifically versions up to and including 10.1.2, is vulnerable to unauthorized data access and modification. The National Vulnerability Database highlights a critical flaw: missing capability checks in the get_ads_access_token() and reset_experience() functions.
This vulnerability, rated 7.1 (HIGH) on the CVSS scale, allows authenticated attackers with even Subscriber-level access to retrieve live Google OAuth access tokens. It also enables them to reset the plugin’s Google Ads integration. This isn’t just a nuisance; it’s a direct conduit to sensitive Google API access.
For defenders, this means a low-privilege WordPress user can potentially compromise your Google Analytics and Google Ads data. The attacker’s calculus is simple: exploit a common plugin, leverage existing low-level access, and gain a foothold into high-value advertising and analytics accounts. It’s a classic lateral movement play, starting from a seemingly innocuous plugin.
What This Means For You
- If your organization uses the MonsterInsights WordPress plugin, you need to verify your version immediately. Patch to a fixed version beyond 10.1.2. Audit your WordPress user accounts for any suspicious activity, especially those with Subscriber-level access or above. Any retrieved Google OAuth tokens could give attackers persistent access to your Google Analytics and Ads data, even if the WordPress vulnerability is patched later.
Related ATT&CK Techniques
🛡️ Detection Rules
3 rules · 6 SIEM formats3 detection rules auto-generated for this incident, mapped to MITRE ATT&CK. Sigma YAML is free — export to any SIEM format via the Intel Bot.
MonsterInsights OAuth Token Exposure via get_ads_access_token() - CVE-2026-5371
title: MonsterInsights OAuth Token Exposure via get_ads_access_token() - CVE-2026-5371
id: scw-2026-05-12-ai-1
status: experimental
level: high
description: |
Detects attempts to exploit CVE-2026-5371 by directly calling the 'monsterinsights_get_ads_access_token' AJAX action. This function is vulnerable due to missing capability checks, allowing authenticated users (even with Subscriber role) to retrieve Google OAuth access tokens. This rule specifically targets the vulnerable function call within the WordPress AJAX handler.
author: SCW Feed Engine (AI-generated)
date: 2026-05-12
references:
- https://shimiscyberworld.com/posts/nvd-CVE-2026-5371/
tags:
- attack.privilege_escalation
- attack.t1078.004
logsource:
category: webserver
detection:
selection:
cs-uri|contains:
- '/wp-admin/admin-ajax.php'
cs-uri-query|contains:
- 'action=monsterinsights_get_ads_access_token'
condition: selection
falsepositives:
- Legitimate administrative activity
Source: Shimi's Cyber World · License & reuse
Indicators of Compromise
| ID | Type | Indicator |
|---|---|---|
| CVE-2026-5371 | Auth Bypass | MonsterInsights – Google Analytics Dashboard for WordPress plugin versions <= 10.1.2 |
| CVE-2026-5371 | Information Disclosure | MonsterInsights plugin function get_ads_access_token() |
| CVE-2026-5371 | Misconfiguration | MonsterInsights plugin function reset_experience() |
| CVE-2026-5371 | Privilege Escalation | Authenticated attackers with Subscriber-level access |
Written by SCW Vulnerability Desk
Source & Attribution
| Source Platform | NVD |
| Channel | National Vulnerability Database |
| Published | May 13, 2026 at 02:16 UTC |
This content was AI-rewritten and enriched by Shimi's Cyber World based on the original source. All intellectual property rights remain with the original author.
Believe this infringes your rights? Submit a takedown request.
Related coverage
Fuji Tellus Driver Grants All Users Kernel R/W: CVE-2026-8108
CVE-2026-8108 — The installation of Fuji Tellus adds a driver to the kernel which grants all users read and write permissions.
ChurchCRM CVE-2026-44548: High-Severity CSRF Allows Silent Record Deletion
CVE-2026-44548 — ChurchCRM is an open-source church management system. Prior to 7.3.2, top-level cross-site GET navigation from an attacker-controlled page to FundRaiserDelete.php, PropertyTypeDelete.php, or NoteDelete.php...
CVE-2026-44547: ChurchCRM Critical Vulnerability Persists in 7.2.x Releases
CVE-2026-44547 — ChurchCRM is an open-source church management system. From 7.2.0 to 7.2.2, The fix for CVE-2026-4058 is incomplete. The hardening commit was merged and...