CVE-2026-7634
Stored XSS in SlimStat Analytics WordPress Plugin
Publication date: 2026-05-28
Last updated on: 2026-05-28
Assigner: Wordfence
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| wp_slimstat | slimstat_analytics | to 5.4.11 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-79 | The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-7634 is a stored cross-site scripting (XSS) vulnerability in the WordPress plugin Slimstat Analytics, affecting versions up to and including 5.4.11.
The vulnerability occurs because the plugin does not properly sanitize the 'User-Agent' header, allowing unauthenticated attackers to inject malicious scripts into the database.
These malicious scripts are executed when the injected User-Agent data is displayed, such as in admin tooltips, if the show_complete_user_agent_tooltip setting is enabled by an administrator.
The issue is fixed by sanitizing the User-Agent header during capture, sanitizing data during storage, and neutralizing unsafe HTML during output.
How can this vulnerability impact me? :
This vulnerability allows unauthenticated attackers to inject and execute arbitrary web scripts in the context of the affected WordPress site.
If exploited, it can lead to theft of sensitive information, session hijacking, defacement, or other malicious actions performed by executing scripts in the victim's browser.
The impact is significant because the attack does not require authentication and can affect any user who views the injected content, especially administrators if the relevant setting is enabled.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by checking if your WordPress site is running the SlimStat Analytics plugin version 5.4.11 or earlier, as these versions are vulnerable to stored cross-site scripting via the User-Agent header.
To detect potential exploitation attempts, you can monitor HTTP requests for suspicious or unusual User-Agent headers that may contain script tags or other malicious payloads.
For example, using command-line tools, you can search your web server logs for suspicious User-Agent strings with commands like:
- grep -i 'User-Agent' /var/log/apache2/access.log | grep -E '<script|javascript:'
- grep -i 'User-Agent' /var/log/nginx/access.log | grep -E '<script|javascript:'
Additionally, inspecting the database entries related to User-Agent data in the SlimStat Analytics plugin tables for injected scripts can help identify stored payloads.
What immediate steps should I take to mitigate this vulnerability?
The immediate mitigation step is to update the SlimStat Analytics plugin to version 5.4.12 or later, where the vulnerability has been fixed.
The fix includes sanitizing the User-Agent header during capture, sanitizing data during storage, and defanging unsafe HTML during output, effectively preventing exploitation.
If updating immediately is not possible, consider disabling the 'show_complete_user_agent_tooltip' setting in the plugin, as the stored payload is only rendered and executed when this setting is enabled.
Also, monitor and sanitize incoming User-Agent headers at the web server or application firewall level to block suspicious payloads.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The vulnerability allows unauthenticated attackers to inject and execute arbitrary scripts via stored cross-site scripting (XSS) in the SlimStat Analytics WordPress plugin. This can lead to unauthorized access to user data or manipulation of web pages, potentially compromising confidentiality and integrity of data.
Such security weaknesses can negatively impact compliance with data protection standards and regulations like GDPR and HIPAA, which require adequate safeguards to protect personal and sensitive information from unauthorized access or disclosure.
However, the vulnerability requires an administrator to enable a specific setting (show_complete_user_agent_tooltip) for exploitation, which may limit exposure.