CVE-2026-3488: CWE-862 Missing Authorization in veronalabs WP Statistics – Simple, privacy-friendly Google Analytics alternative
The WP Statistics plugin for WordPress suffers from a missing authorization vulnerability in all versions up to and including 14. 16. 4. Multiple AJAX handlers do not enforce proper capability checks, relying only on a wp_rest nonce that is accessible to all authenticated users. This allows attackers with Subscriber-level access or higher to access sensitive analytics data, modify privacy compliance status, and dismiss administrative notices. The vulnerability has a CVSS score of 6. 5, indicating medium severity. No official patch or remediation guidance is currently available from the vendor.
AI Analysis
Technical Summary
CVE-2026-3488 is a missing authorization vulnerability (CWE-862) in the WP Statistics WordPress plugin by veronalabs. The issue arises because several AJAX endpoints (including wp_statistics_get_filters, wp_statistics_getPrivacyStatus, wp_statistics_updatePrivacyStatus, and wp_statistics_dismiss_notices) only verify a wp_rest nonce via check_ajax_referer() but do not perform capability checks such as current_user_can() or the plugin's User::Access() method. Since the wp_rest nonce is available to all authenticated WordPress users, attackers with Subscriber-level privileges or higher can exploit this to access sensitive analytics data (user IDs, usernames, emails, visitor tracking data), alter privacy audit compliance status, and dismiss admin notices. The vulnerability affects all versions up to 14.16.4. There is no vendor advisory or patch currently available.
Potential Impact
Authenticated users with Subscriber-level access or higher can exploit this vulnerability to access sensitive analytics data including user identifiers and visitor tracking information. They can also modify privacy compliance settings and dismiss administrative notices, potentially undermining privacy controls and administrative oversight. There is no indication of impact on system availability or integrity beyond these data and configuration exposures.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until a fix is available, restrict plugin access to trusted users only and consider limiting user roles that can authenticate to the WordPress site. Monitor for updates from veronalabs regarding an official fix or temporary mitigation.
CVE-2026-3488: CWE-862 Missing Authorization in veronalabs WP Statistics – Simple, privacy-friendly Google Analytics alternative
Description
The WP Statistics plugin for WordPress suffers from a missing authorization vulnerability in all versions up to and including 14. 16. 4. Multiple AJAX handlers do not enforce proper capability checks, relying only on a wp_rest nonce that is accessible to all authenticated users. This allows attackers with Subscriber-level access or higher to access sensitive analytics data, modify privacy compliance status, and dismiss administrative notices. The vulnerability has a CVSS score of 6. 5, indicating medium severity. No official patch or remediation guidance is currently available from the vendor.
CVSS v3.1
Score 6.5medium
Weaknesses
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
CVE-2026-3488 is a missing authorization vulnerability (CWE-862) in the WP Statistics WordPress plugin by veronalabs. The issue arises because several AJAX endpoints (including wp_statistics_get_filters, wp_statistics_getPrivacyStatus, wp_statistics_updatePrivacyStatus, and wp_statistics_dismiss_notices) only verify a wp_rest nonce via check_ajax_referer() but do not perform capability checks such as current_user_can() or the plugin's User::Access() method. Since the wp_rest nonce is available to all authenticated WordPress users, attackers with Subscriber-level privileges or higher can exploit this to access sensitive analytics data (user IDs, usernames, emails, visitor tracking data), alter privacy audit compliance status, and dismiss admin notices. The vulnerability affects all versions up to 14.16.4. There is no vendor advisory or patch currently available.
Potential Impact
Authenticated users with Subscriber-level access or higher can exploit this vulnerability to access sensitive analytics data including user identifiers and visitor tracking information. They can also modify privacy compliance settings and dismiss administrative notices, potentially undermining privacy controls and administrative oversight. There is no indication of impact on system availability or integrity beyond these data and configuration exposures.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until a fix is available, restrict plugin access to trusted users only and consider limiting user roles that can authenticate to the WordPress site. Monitor for updates from veronalabs regarding an official fix or temporary mitigation.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- Wordfence
- Date Reserved
- 2026-03-03T15:44:08.198Z
- Cvss Version
- 3.1
- State
- PUBLISHED
- Remediation Level
- null
Threat ID: 69e2142082d89c981fcd7c34
Added to database: 4/17/2026, 11:06:08 AM
Last enriched: 4/24/2026, 4:20:41 PM
Last updated: 6/1/2026, 9:35:11 PM
Views: 73
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.