Missing Authorization Vulnerability in WP Statistics Plugin by WordPress
CVE-2026-3488

6.5MEDIUM

Key Information:

Vendor: WordPress
Status: WP Statistics – Simple, Privacy-friendly Google Analytics Alternative
Vendor: CVE Published:; 17 April 2026

What is CVE-2026-3488?

The WP Statistics plugin for WordPress has a vulnerability that arises from the absence of proper authorization checks in its AJAX handlers. Specifically, the handlers wp_statistics_get_filters, wp_statistics_getPrivacyStatus, wp_statistics_updatePrivacyStatus, and wp_statistics_dismiss_notices fail to implement capability checks. As a result, any authenticated user with Subscriber-level permissions can exploit this flaw to access sensitive analytics information, such as user details and visitor tracking metrics, and manipulate privacy compliance statuses or administrative notices.

Affected Version(s)

WP Statistics – Simple, privacy-friendly Google Analytics alternative 0 <= 14.16.4

References

https://www.wordfence.com/threat-intel/vulnerabilities/id...

https://plugins.trac.wordpress.org/browser/wp-statistics/...

CVSS V3.1

Score:

6.5

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Apr 17, 2026
Vulnerability Reserved
Mar 3, 2026

Credit

Jack Pas

CVE-2026-3488 Data

JSON