CVE-2026-6275
Stored XSS in StatCounter WordPress Plugin
Publication date: 2026-05-29
Last updated on: 2026-05-29
Assigner: Wordfence
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| statcounter | free_real_time_visitor_stats | to 2.1.1 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-79 | The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
The StatCounter β Free Real Time Visitor Stats plugin for WordPress has a Stored Cross-Site Scripting (XSS) vulnerability in versions up to and including 2.1.1. This occurs because the plugin does not properly escape the post author's nickname when inserting it into a JavaScript context within a script block. Specifically, the function statcounter_addToTags() retrieves the author's nickname and outputs it directly into a JavaScript double-quoted string without using proper escaping functions like esc_js().
As a result, authenticated users with Author-level access or higher can inject malicious scripts into posts they author. These scripts will execute in the browsers of any users who view those posts, including unauthenticated visitors.
How can this vulnerability impact me? :
This vulnerability allows attackers with Author-level access to inject arbitrary JavaScript code into posts. When other users visit these posts, the malicious scripts execute in their browsers. This can lead to theft of sensitive information such as cookies or session tokens, unauthorized actions performed on behalf of users, or distribution of malware.
Because the vulnerability affects every post page where the injected author nickname appears, it can impact all visitors to the site, including unauthenticated users, potentially compromising user trust and site integrity.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
Detection of this vulnerability involves checking if the StatCounter β Free Real Time Visitor Stats plugin for WordPress is installed and running a version up to and including 2.1.1.
Since the vulnerability is due to insufficient output escaping of the post author's nickname in the statcounter_addToTags() function, one way to detect it is to inspect the HTML source of post pages for suspicious or unescaped JavaScript code injected via the author's nickname.
There are no specific commands provided in the available resources to detect this vulnerability on your system or network.
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include updating the StatCounter β Free Real Time Visitor Stats plugin to a version later than 2.1.1 where the vulnerability is fixed.
If an update is not immediately possible, restrict Author-level access and above to trusted users only, as the vulnerability requires authenticated users with Author-level access or higher to exploit.
Additionally, monitor and sanitize any user input fields related to author nicknames to prevent injection of malicious scripts.