CVE-2026-2936
Stored XSS in WordPress Visitor Traffic Plugin Allows Admin Attack
Publication date: 2026-04-04
Last updated on: 2026-04-04
Assigner: Wordfence
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| wordfence | visitor_traffic_real_time_statistics | to 8.4 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-79 | The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
The Visitor Traffic Real Time Statistics plugin for WordPress has a Stored Cross-Site Scripting (XSS) vulnerability in the 'page_title' parameter in all versions up to and including 8.4. This vulnerability arises because the plugin does not properly sanitize or escape input and output, allowing unauthenticated attackers to inject malicious web scripts.
These injected scripts execute whenever an admin user views the Traffic by Title section in the WordPress admin interface, potentially compromising the admin's session or site security.
How can this vulnerability impact me? :
This vulnerability can allow unauthenticated attackers to execute arbitrary scripts in the context of an admin userβs browser when they access the Traffic by Title section of the plugin.
Such script execution can lead to theft of admin credentials, session hijacking, unauthorized actions performed with admin privileges, or further compromise of the WordPress site.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability involves stored Cross-Site Scripting (XSS) via the 'page_title' parameter in the Visitor Traffic Real Time Statistics WordPress plugin. Detection typically involves inspecting the plugin's stored data for malicious scripts injected into the 'page_title' field.
Since the vulnerability triggers when an admin user accesses the Traffic by Title section, monitoring HTTP requests and responses related to this section for suspicious script tags or unusual content in the 'page_title' parameter can help detect exploitation attempts.
Specific commands are not provided in the available resources, but general approaches include:
- Using WP-CLI to export or search plugin data for suspicious script tags in page titles.
- Using network monitoring tools (e.g., tcpdump, Wireshark) to capture HTTP traffic to the WordPress admin interface and filter for suspicious payloads.
- Running database queries to search for script tags in the plugin's stored page_title entries.
What immediate steps should I take to mitigate this vulnerability?
The primary mitigation step is to update the Visitor Traffic Real Time Statistics plugin to version 8.5 or later, as this version includes a fix that prevents stored Cross-Site Scripting attacks by properly escaping and sanitizing the 'page_title' parameter.
Additional benefits of updating include improved performance, safer database cleanup operations, and bot filtering mechanisms that reduce monitoring overhead.
Until the update can be applied, restrict access to the WordPress admin interface to trusted users only, as the vulnerability executes when an admin views the affected section.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The vulnerability allows unauthenticated attackers to inject arbitrary web scripts that execute when an admin accesses certain plugin sections, potentially leading to unauthorized access or manipulation of administrative functions.
Such stored Cross-Site Scripting (XSS) vulnerabilities can compromise the confidentiality and integrity of data managed through the affected WordPress plugin.
This could impact compliance with standards like GDPR and HIPAA, which require protection of personal data and secure administrative access, by increasing the risk of data breaches or unauthorized data exposure.