CVE-2026-5231
Received Received - Intake
Stored XSS in WP Statistics Plugin Allows Admin Page Script Injection

Publication date: 2026-04-17

Last updated on: 2026-04-17

Assigner: Wordfence

Description
The WP Statistics plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'utm_source' parameter in all versions up to, and including, 14.16.4. This is due to insufficient input sanitization and output escaping. The plugin's referral parser copies the raw utm_source value into the source_name field when a wildcard channel domain matches, and the chart renderer later inserts this value into legend markup via innerHTML without escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in admin pages that will execute whenever an administrator accesses the Referrals Overview or Social Media analytics pages.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-04-17
Last Modified
2026-04-17
Generated
2026-06-16
AI Q&A
2026-04-17
EPSS Evaluated
2026-06-14
NVD
CVE-2026-5231
EUVD
EUVD-2026-23342
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
wp_statistics plugin to 14.16.4 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-79 The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

The WP Statistics plugin for WordPress has a Stored Cross-Site Scripting (XSS) vulnerability in the 'utm_source' parameter in all versions up to and including 14.16.4.

This vulnerability occurs because the plugin does not properly sanitize or escape input. Specifically, the referral parser copies the raw 'utm_source' value into the source_name field when a wildcard channel domain matches.

Later, the chart renderer inserts this value into legend markup using innerHTML without escaping it, allowing an attacker to inject arbitrary web scripts.

These scripts execute whenever an administrator views the Referrals Overview or Social Media analytics pages, and the attacker does not need to be authenticated.

Impact Analysis

This vulnerability allows unauthenticated attackers to inject and execute arbitrary scripts in the admin pages of the WordPress site using the WP Statistics plugin.

As a result, attackers could potentially perform actions such as stealing administrator session cookies, defacing admin pages, or conducting further attacks within the administrative context.

The CVSS score of 7.2 indicates a high severity, with impacts on confidentiality and integrity but not availability.

Compliance Impact

The vulnerability allows unauthenticated attackers to inject arbitrary web scripts into admin pages, potentially leading to unauthorized access or manipulation of sensitive data within the WordPress admin interface.

Such unauthorized script execution could compromise the confidentiality and integrity of data, which may impact compliance with standards and regulations like GDPR and HIPAA that require protection of personal and sensitive information.

However, the provided information does not explicitly detail the direct effects on compliance with these standards.

Mitigation Strategies

To mitigate this vulnerability, you should update the WP Statistics plugin to a version later than 14.16.4 where the issue is fixed.

Additionally, restrict access to the WordPress admin pages to trusted users only, as the vulnerability allows unauthenticated attackers to inject scripts that execute in admin pages.

Consider implementing web application firewall (WAF) rules to block malicious payloads targeting the 'utm_source' parameter.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-5231. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart