CVE-2026-5231
Stored XSS in WP Statistics Plugin Allows Admin Page Script Injection
Publication date: 2026-04-17
Last updated on: 2026-04-17
Assigner: Wordfence
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| wp_statistics | plugin | to 14.16.4 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-79 | The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
The WP Statistics plugin for WordPress has a Stored Cross-Site Scripting (XSS) vulnerability in the 'utm_source' parameter in all versions up to and including 14.16.4.
This vulnerability occurs because the plugin does not properly sanitize or escape input. Specifically, the referral parser copies the raw 'utm_source' value into the source_name field when a wildcard channel domain matches.
Later, the chart renderer inserts this value into legend markup using innerHTML without escaping it, allowing an attacker to inject arbitrary web scripts.
These scripts execute whenever an administrator views the Referrals Overview or Social Media analytics pages, and the attacker does not need to be authenticated.
How can this vulnerability impact me? :
This vulnerability allows unauthenticated attackers to inject and execute arbitrary scripts in the admin pages of the WordPress site using the WP Statistics plugin.
As a result, attackers could potentially perform actions such as stealing administrator session cookies, defacing admin pages, or conducting further attacks within the administrative context.
The CVSS score of 7.2 indicates a high severity, with impacts on confidentiality and integrity but not availability.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The vulnerability allows unauthenticated attackers to inject arbitrary web scripts into admin pages, potentially leading to unauthorized access or manipulation of sensitive data within the WordPress admin interface.
Such unauthorized script execution could compromise the confidentiality and integrity of data, which may impact compliance with standards and regulations like GDPR and HIPAA that require protection of personal and sensitive information.
However, the provided information does not explicitly detail the direct effects on compliance with these standards.
What immediate steps should I take to mitigate this vulnerability?
To mitigate this vulnerability, you should update the WP Statistics plugin to a version later than 14.16.4 where the issue is fixed.
Additionally, restrict access to the WordPress admin pages to trusted users only, as the vulnerability allows unauthenticated attackers to inject scripts that execute in admin pages.
Consider implementing web application firewall (WAF) rules to block malicious payloads targeting the 'utm_source' parameter.