CVE-2026-8943
Deferred Deferred - Pending Action
Cross-Site Request Forgery in GoStats WordPress Plugin

Publication date: 2026-05-27

Last updated on: 2026-05-27

Assigner: Wordfence

Description
The GoStats for WordPress plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.4. This is due to missing or incorrect nonce validation on the gostats_manage() function. This makes it possible for unauthenticated attackers to update the plugin's settings (gostats_siteid and gostats_server options) via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-05-27
Last Modified
2026-05-27
Generated
2026-06-16
AI Q&A
2026-05-27
EPSS Evaluated
2026-06-15
NVD
CVE-2026-8943
EUVD
EUVD-2026-32068
Affected Vendors & Products
Showing 2 associated CPEs
Vendor Product Version / Range
go_stats gostats to 1.4 (inc)
go_stats go_stats to 1.4 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-352 The web application does not, or cannot, sufficiently verify whether a request was intentionally provided by the user who sent the request, which could have originated from an unauthorized actor.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Mitigation Strategies

To mitigate this vulnerability, update the GoStats for WordPress plugin to a version later than 1.4 where the nonce validation issue in the gostats_manage() function is fixed.

Additionally, ensure that site administrators are cautious about clicking on untrusted links that could trigger forged requests.

Executive Summary

The GoStats for WordPress plugin is vulnerable to a Cross-Site Request Forgery (CSRF) attack in all versions up to and including 1.4. This vulnerability exists because the plugin's gostats_manage() function lacks proper nonce validation. As a result, an attacker can trick a site administrator into performing an action, such as clicking a malicious link, which allows the attacker to update the plugin's settings without authentication.

Impact Analysis

This vulnerability allows an unauthenticated attacker to change the plugin's settings by exploiting the administrator's actions. Specifically, the attacker can update the gostats_siteid and gostats_server options, potentially altering how the plugin behaves or where it sends data. This could lead to unauthorized configuration changes and possible misuse of the plugin's functionality.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-8943. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart