CVE-2026-6275 is a stored cross-site scripting vulnerability in the StatCounter – Free Real Time Visitor Stats WordPress plugin (up to version 2.1.1). The issue arises from insufficient output escaping of the post author's nickname in the statcounter_addToTags() function, which is hooked to wp_head and runs on every post page. The function retrieves the author's nickname via the_author_meta() and injects it directly into a JavaScript double-quoted string inside a <script> block without applying esc_js() or equivalent escaping. This allows authenticated users with Author-level privileges or higher to inject arbitrary JavaScript that executes in the context of any visitor viewing the post.

An attacker with Author-level access or higher can inject malicious JavaScript code into posts, which will execute in the browsers of any users viewing those posts, including unauthenticated visitors. This can lead to theft of session cookies, defacement, or other client-side attacks. The vulnerability does not affect availability but impacts confidentiality and integrity. The CVSS 3.1 base score is 6.4 (medium severity), reflecting network attack vector, low attack complexity, privileges required, no user interaction, and partial confidentiality and integrity impact.

Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until a fix is available, restrict Author-level access to trusted users only. Consider applying manual code fixes to properly escape the author's nickname in the JavaScript context using esc_js() or equivalent. Monitor official StatCounter and WordPress plugin repositories for updates addressing this vulnerability.