MonsterInsights OAuth Theft: 3M Sites at Risk (CVE-2026-5371)

A Subscriber-level WordPress account on a MonsterInsights site can steal the site owner's live Google OAuth access token and reset the Google Ads integration on the way out. The bug is tracked as CVE-2026-5371, carries a CVSS score of 7.1, and affects every MonsterInsights release up to and including 10.1.2. The patch is in 10.1.3.

MonsterInsights is the most popular Google Analytics plugin for WordPress, with more than three million active installs. Any site that has either public registration enabled, e-commerce customer accounts, or a forum with self-service signup is part of the exposed surface. The token an attacker walks away with is a portable bearer credential that works against Google APIs from anywhere, until it expires or is manually revoked.

What Got Broken

MonsterInsights wires the WordPress admin to Google Analytics and Google Ads through an OAuth flow. The site owner clicks "Connect," logs in to their Google account, and a token comes back to the WordPress site. That token sits in the database and is used whenever the plugin needs to fetch metrics or update an Ads campaign.

Two AJAX handlers exposed for the admin UI are at the center of the bug:

monsterinsights_ads_get_token returns the stored Google OAuth access token to the calling user.
monsterinsights_ads_reset_experience wipes the Google Ads integration state.

Both handlers are wired through WordPress's wp_ajax_ action hook, which means they're available to any authenticated user. The plugin's authors expected that "authenticated user" would only ever mean an administrator, because that's who uses the Google Ads UI. So the handlers check the request's nonce but never check the user's capability.

That single missing check is the entire bug. Specifically, get_ads_access_token() and reset_experience() go straight from check_ajax_referer() to returning the token. There's no current_user_can( 'manage_options' ) between those two lines.

Why Nonce-Only Is Not Authentication

This vulnerability is a near-perfect illustration of the principle we covered in our explainer on WordPress nonces. Nonces protect against cross-site request forgery. They prove that the request was generated by a page on this site, by this browser session. They say nothing about which user is making the request, and they say nothing about what that user is allowed to do.

If a Subscriber visits wp-admin/profile.php (which Subscribers can access by default), the page response contains a JavaScript blob with a fresh MonsterInsights admin nonce embedded in it. That's because the plugin's admin scripts are enqueued on every wp-admin page, not gated by capability. A Subscriber grepping the page source finds the nonce in seconds.

With the nonce in hand, the Subscriber sends:

curl -X POST https://target.example.com/wp-admin/admin-ajax.php \
  -b "wordpress_logged_in_xxx=<subscriber-session-cookie>" \
  -d "action=monsterinsights_ads_get_token&nonce=<scraped-nonce>"

The server cheerfully replies with the Google OAuth access token. The Subscriber didn't trigger a single capability error along the way.

What an Attacker Does With the Token

A Google OAuth access token issued for the Google Analytics or Google Ads scope is read access (and sometimes write access) to the site owner's actual Google account, for as long as the token is valid. Typical validity is one hour for a bare access token, though the plugin may also hold a long-lived refresh token, in which case the lifetime is whatever the site owner originally authorized.

Concrete attacker payoffs:

Read every Analytics property the owner has connected. Including business they manage for other clients, if the same Google account is the admin for multiple GA4 properties.

Drain a Google Ads budget. Tokens with Ads scope can pause campaigns, change bids, or reroute spending to attacker-controlled campaigns. By the time the site owner notices, the daily budget cap has flushed through to the attacker's chosen line item.

Pivot to other Google products. Many site owners use one Google account for everything: Analytics, Ads, Search Console, Drive, Workspace email. The OAuth scopes the plugin requested are limited, but the account itself is the same one that holds all the other credentials. A token gives the attacker an exact identifier (the email address) and a verified entry point for phishing.

The reset variant of the bug (reset_experience) lets the attacker clear the Ads integration state after they're done, which delays detection. The site owner returns to the dashboard, sees "Not Connected," shrugs, and reconnects, potentially handing out a fresh token.

Who Is Actually at Risk

Three site types account for almost all of the exposure:

WooCommerce stores with customer accounts. Customer signups create Subscriber-level accounts by default. Any store that has run a sale this year has likely created hundreds of these accounts. Each one is an exploitation seat for this bug.

Membership and LMS sites. BuddyPress, MemberPress, LearnDash, LifterLMS sites typically grant new members Subscriber or a custom low-privilege role. If MonsterInsights is on the site (and it usually is, because owners want analytics on member behavior), every member can pull the token.

Sites with "Anyone can register" enabled. General-purpose WordPress sites that left this setting on, often unintentionally. Spam registrations are the usual nuisance; CVE-2026-5371 turns them into a credential heist.

If you don't fall in any of these categories and you have manually audited that your only users are administrators and editors, your risk is lower, but not zero. A future bug that adds an account-creation primitive to an unrelated plugin would chain neatly with this one.

How to Patch and Clean Up

Four steps:

1. Update MonsterInsights to 10.1.3.

wp plugin update google-analytics-for-wordpress

The slug google-analytics-for-wordpress is the WordPress.org repository name. The marketing name is MonsterInsights.

2. Revoke the Google OAuth grant from Google's side.

Even after you update, the token that was stolen during the vulnerable window is still valid until Google invalidates it. Go to Google Account permissions, find the MonsterInsights connection, and click "Remove access." Reconnect from the MonsterInsights settings page afterward. This forces a fresh OAuth flow and issues a new token, leaving the stolen one useless.

3. Audit your Google Ads campaigns.

Open the Google Ads console, sort campaigns by last-modified date, and look for changes you don't recognize. Pay special attention to budgets, bid strategy changes, and new campaigns. If anything looks off, document it before reverting, because Google Ads support sometimes refunds spend caused by unauthorized API access.

4. Audit your Subscriber account list.

wp user list --role=subscriber --fields=ID,user_login,user_email,user_registered \
  --orderby=user_registered --order=DESC

Any subscriber account registered between the plugin's vulnerable release and your update should be considered suspect. Delete obvious spam accounts. Treat legitimate-looking but unexpected ones with caution.

The Wider Pattern

CVE-2026-5371 is part of a recurring class of WordPress plugin bug: an AJAX handler that meant to be admin-only but checks only the nonce. The User Registration & Membership auth bypass we covered in April was a structurally similar miss in a different plugin. So was the third-party-fetch class behind Breeze Cache.

The fix is always the same shape: every privileged action needs a capability check (current_user_can()) sitting next to the nonce check. The two checks answer different questions. The nonce answers "is this request from a page on my site?" The capability check answers "is this user allowed to do this?" Skipping either one creates a vulnerability; skipping the second one is the most common version on WordPress.

If you're auditing your own plugin or someone else's, search the codebase for wp_ajax_ and check_ajax_referer and verify each handler has a capability check before it does anything sensitive. It's a one-grep job that catches a recurring bug class.