WordPress Plugin Flaw Allows Arbitrary Plugin Installation and RCE

The ExactMetrics – Google Analytics Dashboard for WordPress plugin, specifically versions up to and including 9.1.2, harbors a critical vulnerability. According to the National Vulnerability Database, this flaw allows authenticated attackers with editor-level access and the ‘exactmetrics_view_dashboard’ capability to install and activate arbitrary plugins. The vulnerability stems from the exposure of an ‘onboarding_key’ which bypasses authorization checks for a critical REST endpoint, ultimately leading to Remote Code Execution.

Attackers can leverage this by obtaining a one-time hash token via the ‘/wp-json/exactmetrics/v1/onboarding/connect-url’ endpoint. This token, when passed to the ‘exactmetrics_connect_process’ AJAX endpoint, allows the installation of any plugin from a URL provided in the ‘file’ parameter. Crucially, this endpoint lacks nonce verification and capability checks, making it a direct pathway for attackers to gain control of a WordPress site.

Defenders must prioritize patching this vulnerability. Any WordPress site utilizing the ExactMetrics plugin should be updated to a secure version immediately. Administrators should also review user roles and permissions, particularly ensuring that only trusted individuals possess the ‘exactmetrics_view_dashboard’ capability. This incident underscores the persistent risk of supply chain attacks and privilege escalation vulnerabilities within popular WordPress plugins.