CVE-2026-3488 is a missing authorization vulnerability in the WP Statistics WordPress plugin (versions up to 14.16.4). Several AJAX endpoints such as wp_statistics_get_filters, wp_statistics_getPrivacyStatus, wp_statistics_updatePrivacyStatus, and wp_statistics_dismiss_notices verify only a wp_rest nonce via check_ajax_referer() but do not perform capability checks like current_user_can() or the plugin's User::Access() method. Since the wp_rest nonce is accessible to all authenticated users, attackers with low-level privileges (Subscriber and above) can exploit this to access sensitive analytics data including user IDs, usernames, emails, and visitor tracking data, as well as modify privacy audit compliance status and dismiss admin notices.

Authenticated users with Subscriber-level access or higher can exploit this vulnerability to access sensitive analytics data (user IDs, usernames, emails, visitor tracking data), alter privacy compliance status, and dismiss administrative notices. This exposure of sensitive information and unauthorized modification of privacy settings can lead to privacy violations and potential misuse of analytics data. There is no indication of impact on system availability or integrity beyond the described data access and modification.

Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until an official fix is released, restrict plugin usage to trusted users only and consider disabling or restricting access to the affected AJAX endpoints if possible. Monitor for updates from veronalabs regarding a security patch or official mitigation steps.