Plattform
wordpress
Komponente
wp-statistics
Behoben in
14.16.5
14.16.5
CVE-2026-5231 represents a Stored Cross-Site Scripting (XSS) vulnerability discovered in the WP Statistics plugin for WordPress. This flaw allows unauthenticated attackers to inject arbitrary web scripts, potentially compromising administrator accounts and data. The vulnerability affects versions of the plugin up to and including 14.16.4, but a patch is available in version 14.16.5.
An attacker can exploit this XSS vulnerability by crafting a malicious URL containing a specially crafted 'utm_source' parameter. When an administrator visits a page containing this URL, the injected script will execute within the context of their browser. This could lead to session hijacking, defacement of the WordPress admin interface, or redirection to a malicious website. The attacker could also steal sensitive data, such as administrator credentials or other confidential information stored within the WordPress environment. The blast radius extends to any administrator account with access to the affected admin pages.
CVE-2026-5231 was publicly disclosed on 2026-04-17. No public proof-of-concept (POC) code has been released at the time of writing. The vulnerability is not currently listed on the CISA KEV catalog. The EPSS score is pending evaluation, but the ease of exploitation and potential impact suggest a medium to high probability of exploitation if a readily available POC is released.
Exploit-Status
EPSS
0.03% (9% Perzentil)
CISA SSVC
CVSS-Vektor
The primary mitigation for CVE-2026-5231 is to immediately upgrade the WP Statistics plugin to version 14.16.5 or later. If upgrading is not immediately feasible, consider implementing a Web Application Firewall (WAF) rule to filter requests containing suspicious 'utm_source' parameters. Additionally, carefully review any referral parsing logic within the plugin and ensure proper input sanitization and output escaping are implemented. Monitor WordPress access logs for unusual activity or requests containing potentially malicious URLs.
Aktualisieren Sie auf Version 14.16.5 oder eine neuere gepatchte Version
Schwachstellenanalysen und kritische Warnungen direkt in deinen Posteingang.
XSS (Cross-Site Scripting) is a type of security vulnerability that allows attackers to inject malicious scripts into websites visited by other users.
An attacker could steal sensitive information, redirect users to malicious websites, or modify the content of your website.
Change all user passwords, scan your website for malware, and consider restoring from a clean backup.
Yes, after updating to version 14.16.5 or higher, WP Statistics is safe to use.
You can download the latest version of WP Statistics from the official WordPress repository: [https://wordpress.org/plugins/wp-statistics/](https://wordpress.org/plugins/wp-statistics/)
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.