CVE-2026-5464 ExactMetrics <= 9.1.2 - Authenticated (Editor+) Arbitrary Plugin Installation/Activation via exactmetrics_connect_process

The ExactMetrics – Google Analytics Dashboard for WordPress Website Stats Plugin plugin for WordPress is vulnerable to unauthorized arbitrary plugin installation and activation in all versions up to, and including, 9.1.2. This is due to the reports page exposing the 'onboardingkey' transient to a...

Cross site request forgery (csrf)

Cross-Site Request Forgery CSRF vulnerability in ThemeFusion Avada premium theme versions = 7.8.1 on WordPress leading to arbitrary plugin installation/activation...