CVE-2026-6275
Deferred Deferred - Pending Action
Stored XSS in StatCounter WordPress Plugin

Publication date: 2026-05-29

Last updated on: 2026-05-29

Assigner: Wordfence

Description
The StatCounter – Free Real Time Visitor Stats plugin for WordPress is vulnerable to Stored Cross-Site Scripting in versions up to, and including, 2.1.1 This is due to insufficient output escaping on the post author's nickname in the statcounter_addToTags() function. The function is hooked to wp_head and fires on every single post page. It retrieves the post author's nickname via the_author_meta() and echoes it directly into a JavaScript double-quoted string context inside a <script> block without applying esc_js() or any equivalent JavaScript-context escaping. This makes it possible for authenticated attackers with Author-level access and above to inject arbitrary web scripts into pages that will execute whenever any user (including unauthenticated visitors) accesses a post authored by the attacker.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-05-29
Last Modified
2026-05-29
Generated
2026-06-19
AI Q&A
2026-05-29
EPSS Evaluated
2026-06-18
NVD
CVE-2026-6275
EUVD
EUVD-2026-33250
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
statcounter free_real_time_visitor_stats to 2.1.1 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-79 The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Detection Guidance

Detection of this vulnerability involves checking if the StatCounter – Free Real Time Visitor Stats plugin for WordPress is installed and running a version up to and including 2.1.1.

Since the vulnerability is due to insufficient output escaping of the post author's nickname in the statcounter_addToTags() function, one way to detect it is to inspect the HTML source of post pages for suspicious or unescaped JavaScript code injected via the author's nickname.

There are no specific commands provided in the available resources to detect this vulnerability on your system or network.

Executive Summary

The StatCounter – Free Real Time Visitor Stats plugin for WordPress has a Stored Cross-Site Scripting (XSS) vulnerability in versions up to and including 2.1.1. This occurs because the plugin does not properly escape the post author's nickname when inserting it into a JavaScript context within a script block. Specifically, the function statcounter_addToTags() retrieves the author's nickname and outputs it directly into a JavaScript double-quoted string without using proper escaping functions like esc_js().

As a result, authenticated users with Author-level access or higher can inject malicious scripts into posts they author. These scripts will execute in the browsers of any users who view those posts, including unauthenticated visitors.

Impact Analysis

This vulnerability allows attackers with Author-level access to inject arbitrary JavaScript code into posts. When other users visit these posts, the malicious scripts execute in their browsers. This can lead to theft of sensitive information such as cookies or session tokens, unauthorized actions performed on behalf of users, or distribution of malware.

Because the vulnerability affects every post page where the injected author nickname appears, it can impact all visitors to the site, including unauthenticated users, potentially compromising user trust and site integrity.

Mitigation Strategies

Immediate mitigation steps include updating the StatCounter – Free Real Time Visitor Stats plugin to a version later than 2.1.1 where the vulnerability is fixed.

If an update is not immediately possible, restrict Author-level access and above to trusted users only, as the vulnerability requires authenticated users with Author-level access or higher to exploit.

Additionally, monitor and sanitize any user input fields related to author nicknames to prevent injection of malicious scripts.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-6275. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart