CVE-2026-1238
Stored XSS in SlimStat Analytics WordPress Plugin Allows Script Injection
Publication date: 2026-03-19
Last updated on: 2026-03-19
Assigner: Wordfence
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| wp-slimstat | slimstat_analytics | to 5.3.5 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-79 | The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
The SlimStat Analytics plugin for WordPress, up to version 5.3.5, has a Stored Cross-Site Scripting (XSS) vulnerability. This occurs because the plugin does not properly sanitize or escape the input received via the 'fh' (fingerprint) parameter. As a result, an unauthenticated attacker can inject malicious scripts into pages tracked by the plugin. These scripts execute whenever a user accesses the infected page, potentially compromising user security.
How can this vulnerability impact me? :
This vulnerability allows attackers to inject arbitrary web scripts that execute in the context of users visiting the affected WordPress site. The impact includes the potential for attackers to steal sensitive information such as cookies or session tokens, perform actions on behalf of users without their consent, or deliver malicious payloads. Since the vulnerability is exploitable without authentication and affects all users accessing the injected pages, it poses a significant security risk.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
[{'type': 'paragraph', 'content': "The vulnerability involves Stored Cross-Site Scripting (XSS) via the 'fh' (fingerprint) parameter in the SlimStat Analytics WordPress plugin up to version 5.3.5. Detection would involve monitoring HTTP requests and responses for suspicious or malicious scripts injected via this parameter."}, {'type': 'paragraph', 'content': "Since the vulnerability is related to the 'fh' parameter, you can detect attempts by inspecting web server logs or using network monitoring tools to look for requests containing suspicious script payloads in the 'fh' parameter."}, {'type': 'list_item', 'content': "Use command-line tools like grep to search web server logs for the 'fh' parameter with suspicious content, for example: grep -i 'fh=' /var/log/apache2/access.log"}, {'type': 'list_item', 'content': 'Use curl or wget to test the parameter manually by sending crafted requests to the vulnerable endpoint and observing if scripts are reflected or stored.'}, {'type': 'list_item', 'content': 'Monitor the WordPress site pages for unexpected script execution or injected content, especially on pages that use the SlimStat Analytics plugin.'}] [1, 3]
What immediate steps should I take to mitigate this vulnerability?
[{'type': 'paragraph', 'content': 'The immediate mitigation step is to update the SlimStat Analytics plugin to a version later than 5.3.5 where the vulnerability is fixed (e.g., version 5.4.0 or later).'}, {'type': 'paragraph', 'content': 'If updating is not immediately possible, consider disabling the plugin temporarily to prevent exploitation.'}, {'type': 'paragraph', 'content': "Additionally, implement Web Application Firewall (WAF) rules to block requests containing suspicious scripts in the 'fh' parameter."}, {'type': 'paragraph', 'content': 'Review and sanitize any stored data that might have been injected via this vulnerability to remove malicious scripts.'}, {'type': 'paragraph', 'content': 'Ensure that your WordPress installation and all plugins are kept up to date to reduce exposure to known vulnerabilities.'}] [1, 4]