{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-5231", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2026-03-31T13:31:45.563Z", "datePublished": "2026-04-17T01:24:37.573Z", "dateUpdated": "2026-04-17T01:24:37.573Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-17T01:24:37.573Z"}, "affected": [{"vendor": "veronalabs", "product": "WP Statistics \u2013 Simple, privacy-friendly Google Analytics alternative", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "14.16.4", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The WP Statistics plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'utm_source' parameter in all versions up to, and including, 14.16.4. This is due to insufficient input sanitization and output escaping. The plugin's referral parser copies the raw utm_source value into the source_name field when a wildcard channel domain matches, and the chart renderer later inserts this value into legend markup via innerHTML without escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in admin pages that will execute whenever an administrator accesses the Referrals Overview or Social Media analytics pages."}], "title": "WP Statistics <= 14.16.4 - Unauthenticated Stored Cross-Site Scripting via 'utm_source' Parameter", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/9b350b48-05ba-4054-895f-36d7ad71459d?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/wp-statistics/trunk/assets/dev/javascript/chart.js#L498"}, {"url": "https://plugins.trac.wordpress.org/browser/wp-statistics/tags/14.16.4/assets/dev/javascript/chart.js#L498"}, {"url": "https://plugins.trac.wordpress.org/browser/wp-statistics/trunk/src/Service/Analytics/Referrals/ReferralsParser.php#L62"}, {"url": "https://plugins.trac.wordpress.org/browser/wp-statistics/tags/14.16.4/src/Service/Analytics/Referrals/ReferralsParser.php#L62"}, {"url": "https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&new=3503795%40wp-statistics%2Ftrunk&old=3483860%40wp-statistics%2Ftrunk&sfp_email=&sfph_mail="}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", "cweId": "CWE-79", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N", "baseScore": 7.2, "baseSeverity": "HIGH"}}], "credits": [{"lang": "en", "type": "finder", "value": "daroo"}], "timeline": [{"time": "2026-03-31T13:47:51.000Z", "lang": "en", "value": "Vendor Notified"}, {"time": "2026-04-16T13:20:16.000Z", "lang": "en", "value": "Disclosed"}]}}}

{}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "The WP Statistics plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'utm_source' parameter in all versions up to, and including, 14.16.4. This is due to insufficient input sanitization and output escaping. The plugin's referral parser copies the raw utm_source value into the source_name field when a wildcard channel domain matches, and the chart renderer later inserts this value into legend markup via innerHTML without escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in admin pages that will execute whenever an administrator accesses the Referrals Overview or Social Media analytics pages."}], "id": "CVE-2026-5231", "lastModified": "2026-04-17T02:16:06.227", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.2, "baseSeverity": "HIGH", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 2.7, "source": "security@wordfence.com", "type": "Primary"}]}, "published": "2026-04-17T02:16:06.227", "references": [{"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/wp-statistics/tags/14.16.4/assets/dev/javascript/chart.js#L498"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/wp-statistics/tags/14.16.4/src/Service/Analytics/Referrals/ReferralsParser.php#L62"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/wp-statistics/trunk/assets/dev/javascript/chart.js#L498"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/wp-statistics/trunk/src/Service/Analytics/Referrals/ReferralsParser.php#L62"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&new=3503795%40wp-statistics%2Ftrunk&old=3483860%40wp-statistics%2Ftrunk&sfp_email=&sfph_mail="}, {"source": "security@wordfence.com", "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/9b350b48-05ba-4054-895f-36d7ad71459d?source=cve"}], "sourceIdentifier": "security@wordfence.com", "vulnStatus": "Received", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "security@wordfence.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "[0,14.16.4]"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "original": {"product": "WP Statistics \u2013 Simple, privacy-friendly Google Analytics alternative", "source": "cna", "vendor": "veronalabs"}, "product": "wp_statistics_\u2013_simple,_privacy-friendly_google_analytics_alternative", "vendor": "veronalabs"}, {"configurations": [{"platform": null, "status": "unaffected", "versions": null}], "enrichment": {"confidence": 80.0, "confidence_source": "inferred", "scores": [{"score": 80.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "product": "wordpress", "vendor": "wordpress"}], "analysis": {"en": {"generated_at": "2026-04-17T03:20:45.106477+00:00", "value": {"mitigation_remediation": ["Upgrade WP Statistics to a version newer than 14.16.4, ensuring the utm_source handling and output escaping have been corrected.", "Restrict access to the Referrals Overview and Social Media analytics pages to trusted administrators, and enforce strict role\u2011based access controls in WordPress.", "Implement server\u2011side or application\u2011level filtering to sanitize the utm_source parameter (for example, strip script tags or encode the value) before it is stored or rendered by the plugin."], "summary": {"action": "Patch Immediately", "impact": "Stored Cross\u2011Site Scripting that executes when an administrator views analytics pages"}, "threat_synthesis": {"affected_systems": "WordPress sites that use the WP Statistics plugin from veronalabs, specifically versions up to and including 14.16.4.", "description_and_impact": "The WP Statistics plugin fails to sanitize the utm_source parameter that is passed by external referral URLs. The raw value is written to a database field and later rendered inside an HTML legend via innerHTML without escaping, allowing an unauthenticated attacker to embed malicious JavaScript that will run in the browser of any administrator who visits the Referrals Overview or Social Media analytics pages. This Stored Cross\u2011Site Scripting can be used to hijack administrator sessions, steal data, or perform other malicious actions within the WordPress site.", "risk_and_exploitability": "The vulnerability carries a CVSS score of 7.2, indicating a high impact. No EPSS score is currently available and the issue is not listed in the CISA KEV catalog. An attacker can exploit the flaw by crafting a referral URL with a malicious utm_source value and directing legitimate traffic to that URL. When an administrator later accesses the compromised analytics page, the injected script executes in the administrator\u2019s browser context, granting the attacker the ability to run arbitrary code within the bound of that session."}}}}, "created": "2026-04-17T03:30:08.586946+00:00", "updated": "2026-04-17T08:01:18.124466+00:00", "vendors": ["veronalabs", "veronalabs$PRODUCT$wp_statistics_\u2013_simple,_privacy-friendly_google_analytics_alternative", "wordpress", "wordpress$PRODUCT$wordpress"]}