Stored Cross-Site Scripting Vulnerability in WP Statistics Plugin for WordPress
CVE-2026-5231

7.2HIGH

Key Information:

Vendor: WordPress
Status: WP Statistics – Simple, Privacy-friendly Google Analytics Alternative
Vendor: CVE Published:; 17 April 2026

What is CVE-2026-5231?

The WP Statistics plugin for WordPress is susceptible to stored cross-site scripting (XSS) due to inadequate input validation and output sanitization. Specifically, the vulnerability arises from the handling of the 'utm_source' parameter. When the plugin's referral parser encounters a matching wildcard channel domain, it directly transfers the unfiltered 'utm_source' value into the 'source_name' field. Subsequently, this value is integrated into the legend markup through innerHTML without proper escaping. Consequently, this flaw allows unauthenticated attackers to inject malicious scripts that execute on the admin pages whenever an administrator accesses the Referrals Overview or Social Media analytics sections.

Affected Version(s)

WP Statistics – Simple, privacy-friendly Google Analytics alternative 0 <= 14.16.4

References

https://www.wordfence.com/threat-intel/vulnerabilities/id...

https://plugins.trac.wordpress.org/browser/wp-statistics/...

CVSS V3.1

Score:

7.2

Severity:

HIGH

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Changed

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Apr 17, 2026
Vulnerability Reserved
Mar 31, 2026

Credit

daroo

CVE-2026-5231 Data

JSON