Cross-Site Request Forgery in GoStats Plugin for WordPress
CVE-2026-8943

4.3MEDIUM

Key Information:

Vendor: WordPress
Status: Gostats For WordPress
Vendor: CVE Published:; 27 May 2026

What is CVE-2026-8943?

The GoStats for WordPress plugin is vulnerable to Cross-Site Request Forgery due to inadequate nonce validation within the gostats_manage() function. This flaw allows attackers to exploit the vulnerability without authentication, potentially enabling them to change essential plugin settings (such as gostats_siteid and gostats_server options) by persuading an administrator to execute a malicious request. This risk underlines the importance of robust nonce checks to safeguard against unauthorized actions within the plugin.

Affected Version(s)

GoStats for WordPress 0 <= 1.4

References

https://www.wordfence.com/threat-intel/vulnerabilities/id...

https://plugins.trac.wordpress.org/browser/gostats-for-wo...

CVSS V3.1

Score:

4.3

Severity:

MEDIUM

Confidentiality:

None

Integrity:

Low

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

Required

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
May 27, 2026
Vulnerability Reserved
May 19, 2026

Credit

Muhammad Afnaan

CVE-2026-8943 Data

JSON