CVE-2026-5231: CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in veronalabs WP Statistics – Simple, privacy-friendly Google Analytics alternative
WP Statistics plugin for WordPress versions up to 14. 16. 4 contains a stored cross-site scripting (XSS) vulnerability via the 'utm_source' parameter. This occurs because the plugin does not properly sanitize or escape input before inserting it into admin page markup. An unauthenticated attacker can inject malicious scripts that execute when an administrator views certain analytics pages.
AI Analysis
Technical Summary
CVE-2026-5231 is a stored cross-site scripting vulnerability in the WP Statistics WordPress plugin (up to version 14.16.4). The vulnerability arises from insufficient input sanitization and output escaping of the 'utm_source' parameter. Specifically, the plugin's referral parser copies the raw 'utm_source' value into a field that is later rendered into admin page HTML via innerHTML without escaping, allowing script injection. This affects the Referrals Overview and Social Media analytics pages in the admin interface and can be exploited by unauthenticated attackers.
Potential Impact
Successful exploitation allows an unauthenticated attacker to execute arbitrary JavaScript in the context of the WordPress admin pages viewed by administrators. This can lead to theft of admin session cookies, unauthorized actions, or other malicious activities limited to the admin interface. The CVSS score of 7.2 reflects high severity with network attack vector, no privileges required, and impact on confidentiality and integrity.
Mitigation Recommendations
Patch status is not yet confirmed — no official fix or patch links are currently available. Administrators should monitor the vendor's advisory for updates. Until a patch is released, restricting access to the WordPress admin interface and validating or sanitizing 'utm_source' inputs externally may reduce risk. Avoid visiting the Referrals Overview or Social Media analytics pages with untrusted data inputs. No vendor advisory content is available to indicate if any temporary or official fixes exist.
CVE-2026-5231: CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in veronalabs WP Statistics – Simple, privacy-friendly Google Analytics alternative
Description
WP Statistics plugin for WordPress versions up to 14. 16. 4 contains a stored cross-site scripting (XSS) vulnerability via the 'utm_source' parameter. This occurs because the plugin does not properly sanitize or escape input before inserting it into admin page markup. An unauthenticated attacker can inject malicious scripts that execute when an administrator views certain analytics pages.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
CVE-2026-5231 is a stored cross-site scripting vulnerability in the WP Statistics WordPress plugin (up to version 14.16.4). The vulnerability arises from insufficient input sanitization and output escaping of the 'utm_source' parameter. Specifically, the plugin's referral parser copies the raw 'utm_source' value into a field that is later rendered into admin page HTML via innerHTML without escaping, allowing script injection. This affects the Referrals Overview and Social Media analytics pages in the admin interface and can be exploited by unauthenticated attackers.
Potential Impact
Successful exploitation allows an unauthenticated attacker to execute arbitrary JavaScript in the context of the WordPress admin pages viewed by administrators. This can lead to theft of admin session cookies, unauthorized actions, or other malicious activities limited to the admin interface. The CVSS score of 7.2 reflects high severity with network attack vector, no privileges required, and impact on confidentiality and integrity.
Mitigation Recommendations
Patch status is not yet confirmed — no official fix or patch links are currently available. Administrators should monitor the vendor's advisory for updates. Until a patch is released, restricting access to the WordPress admin interface and validating or sanitizing 'utm_source' inputs externally may reduce risk. Avoid visiting the Referrals Overview or Social Media analytics pages with untrusted data inputs. No vendor advisory content is available to indicate if any temporary or official fixes exist.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- Wordfence
- Date Reserved
- 2026-03-31T13:31:45.563Z
- Cvss Version
- 3.1
- State
- PUBLISHED
- Remediation Level
- null
Threat ID: 69e2142082d89c981fcd7c54
Added to database: 4/17/2026, 11:06:08 AM
Last enriched: 4/17/2026, 11:07:21 AM
Last updated: 4/17/2026, 12:18:33 PM
Views: 5
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.