What is the authoritative source for CVE-2026-1993?

CVE-2026-1993 (CVE-2026-1993) is catalogued in NVD + CISA KEV + FIRST EPSS and curated for EU compliance use cases by SQUR.

How severe is CVE-2026-1993?

CVE-2026-1993 carries a HIGH CVSS 8.8 severity rating.

CVE-2026-1993HIGH 8.8EPSS p29.7%

CVE-2026-1993CVE-2026-1993

Description

The ExactMetrics – Google Analytics Dashboard for WordPress plugin is vulnerable to Improper Privilege Management in versions 7.1.0 through 9.0.2. This is due to the `update_settings()` function accepting arbitrary plugin setting names without a whitelist of allowed settings. This makes it possible for authenticated attackers with the `exactmetrics_save_settings` capability to modify any plugin setting, including the `save_settings` option that controls which user roles have access to plugin functionality. The admin intended to delegate configuration access to a trusted user, not enable that user to delegate access to everyone. By setting `save_settings` to include `subscriber`, an attacker can grant plugin administrative access to all subscribers on the site.

Scoring

CVSS 3.1	8.8 (HIGH)
Vector	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
EPSS	0.38% probability of exploitation · percentile 29.7% · 2026-06-18T12:00:27Z
Published	2026-03-11
Last modified	2026-04-22