CVE-2026-5231: CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in veronalabs WP Statistics – Simple, privacy-friendly Google Analytics alternative
The WP Statistics WordPress plugin up to version 14. 16. 4 contains a stored cross-site scripting (XSS) vulnerability via the 'utm_source' parameter. This occurs because the plugin does not properly sanitize or escape input before inserting it into admin page markup, allowing unauthenticated attackers to inject malicious scripts. These scripts execute when an administrator views certain analytics pages, potentially compromising admin sessions or data. The vulnerability has a CVSS score of 7. 2 (high severity). No official patch or remediation guidance is currently available from the vendor.
AI Analysis
Technical Summary
CVE-2026-5231 is a stored cross-site scripting vulnerability in the WP Statistics plugin for WordPress, affecting all versions up to and including 14.16.4. The issue arises from insufficient input sanitization and output escaping of the 'utm_source' parameter. The plugin's referral parser copies the raw 'utm_source' value into the 'source_name' field when a wildcard channel domain matches. Later, the chart renderer inserts this value into legend markup using innerHTML without escaping, enabling injection of arbitrary scripts. An unauthenticated attacker can exploit this to inject scripts that execute in the context of admin pages such as the Referrals Overview or Social Media analytics pages when accessed by an administrator.
Potential Impact
Successful exploitation allows unauthenticated attackers to execute arbitrary JavaScript in the context of WordPress admin pages viewed by administrators. This can lead to session hijacking, unauthorized actions, or disclosure of sensitive information accessible to the admin user. The vulnerability does not impact availability but compromises confidentiality and integrity of the admin interface.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until an official fix is released, administrators should limit access to the affected analytics pages and consider disabling the WP Statistics plugin if possible. Monitoring for suspicious activity related to admin sessions is advisable. Avoid clicking on untrusted links containing crafted 'utm_source' parameters that could trigger the vulnerability.
CVE-2026-5231: CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in veronalabs WP Statistics – Simple, privacy-friendly Google Analytics alternative
Description
The WP Statistics WordPress plugin up to version 14. 16. 4 contains a stored cross-site scripting (XSS) vulnerability via the 'utm_source' parameter. This occurs because the plugin does not properly sanitize or escape input before inserting it into admin page markup, allowing unauthenticated attackers to inject malicious scripts. These scripts execute when an administrator views certain analytics pages, potentially compromising admin sessions or data. The vulnerability has a CVSS score of 7. 2 (high severity). No official patch or remediation guidance is currently available from the vendor.
CVSS v3.1
Score 7.2high
Weaknesses
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
CVE-2026-5231 is a stored cross-site scripting vulnerability in the WP Statistics plugin for WordPress, affecting all versions up to and including 14.16.4. The issue arises from insufficient input sanitization and output escaping of the 'utm_source' parameter. The plugin's referral parser copies the raw 'utm_source' value into the 'source_name' field when a wildcard channel domain matches. Later, the chart renderer inserts this value into legend markup using innerHTML without escaping, enabling injection of arbitrary scripts. An unauthenticated attacker can exploit this to inject scripts that execute in the context of admin pages such as the Referrals Overview or Social Media analytics pages when accessed by an administrator.
Potential Impact
Successful exploitation allows unauthenticated attackers to execute arbitrary JavaScript in the context of WordPress admin pages viewed by administrators. This can lead to session hijacking, unauthorized actions, or disclosure of sensitive information accessible to the admin user. The vulnerability does not impact availability but compromises confidentiality and integrity of the admin interface.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until an official fix is released, administrators should limit access to the affected analytics pages and consider disabling the WP Statistics plugin if possible. Monitoring for suspicious activity related to admin sessions is advisable. Avoid clicking on untrusted links containing crafted 'utm_source' parameters that could trigger the vulnerability.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- Wordfence
- Date Reserved
- 2026-03-31T13:31:45.563Z
- Cvss Version
- 3.1
- State
- PUBLISHED
- Remediation Level
- null
Threat ID: 69e2142082d89c981fcd7c54
Added to database: 4/17/2026, 11:06:08 AM
Last enriched: 4/24/2026, 4:18:39 PM
Last updated: 5/31/2026, 1:57:31 PM
Views: 83
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.