Scan free
HIGHCVE-2026-2936CVSS 7.2

CVE-2026-2936: XSS in Visitor Traffic Real Time Statistics

Platform

wordpress

Component

visitors-traffic-real-time-statistics

Fixed in

8.4.1

AI Confidence: highNVDEPSS 0.0%Reviewed: May 2026
View on NVD
Save

CVE-2026-2936 describes a Stored Cross-Site Scripting (XSS) vulnerability affecting the Visitor Traffic Real Time Statistics plugin for WordPress. This vulnerability allows unauthenticated attackers to inject arbitrary web scripts, potentially leading to account compromise and data theft. The vulnerability impacts versions 0.0.0 through 8.4 and has been resolved in version 8.5.

WordPress

Detect this CVE in your project

Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.

Scan free

Impact and Attack Scenarios

An attacker can exploit this XSS vulnerability by injecting malicious JavaScript code into the 'page_title' parameter within the plugin. When an administrator accesses the Traffic by Title section, the injected script will execute in their browser context. This allows the attacker to steal session cookies, redirect the administrator to a phishing site, or deface the website. The impact is particularly severe because it targets administrator accounts, granting the attacker significant control over the WordPress site. Successful exploitation could lead to complete website takeover and data breaches.

Exploitation Context

CVE-2026-2936 was publicly disclosed on 2026-04-04. No public proof-of-concept (PoC) code has been released at the time of writing, but the vulnerability's simplicity suggests it is likely to be exploited. It is not currently listed on the CISA KEV catalog. The ease of exploitation makes it a potential target for automated scanning and exploitation campaigns.

Threat Intelligence

Exploit Status

Proof of ConceptUnknown
CISA KEVNO
Internet ExposureHigh
Reports1 threat report

EPSS

0.02% (6% percentile)

CISA SSVC

Exploitationnone
Automatableno
Technical Impactpartial

CVSS Vector

THREAT INTELLIGENCE· CVSS 3.1CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N7.2HIGHAttack VectorNetworkHow the attacker reaches the targetAttack ComplexityLowConditions required to exploitPrivileges RequiredNoneAuthentication level needed to attackUser InteractionNoneWhether a victim must take actionScopeChangedImpact beyond the vulnerable componentConfidentialityLowRisk of sensitive data exposureIntegrityLowRisk of unauthorized data modificationAvailabilityNoneRisk of service disruptionnextguardhq.com · CVSS v3.1 Base Score
What do these metrics mean?
Attack Vector
Network — remotely exploitable over the internet. No physical or local access required. Widest attack surface.
Attack Complexity
Low — no special conditions required. Attacker can exploit reliably without depending on rare configurations or timing.
Privileges Required
None — unauthenticated. No login or credentials needed to exploit.
User Interaction
None — attack is automatic and silent. Victim does nothing: no click, no file open.
Scope
Changed — successful attack can pivot beyond the vulnerable component to other systems or the host OS.
Confidentiality
Low — partial or indirect data access. Attacker gains limited information.
Integrity
Low — attacker can modify some data with limited scope or impact.
Availability
None — no availability impact. Service remains fully operational.

Affected Software

Componentvisitors-traffic-real-time-statistics
Vendorwordfence
Affected rangeFixed in
0 – 8.48.4.1

Package Information

Active installs
30KKnown
Plugin rating
4.2
Requires WordPress
3.0.1+
Compatible up to
6.9.4

Weakness Classification (CWE)

CWE-79

Timeline

  1. Reserved
  2. Published
  3. Modified
  4. EPSS updated

Mitigation and Workarounds

The primary mitigation for CVE-2026-2936 is to immediately upgrade the Visitor Traffic Real Time Statistics plugin to version 8.5 or later. If upgrading is not immediately feasible, consider temporarily restricting access to the Traffic by Title section to prevent administrators from being exposed to the vulnerability. While a direct workaround isn't available, implementing a Web Application Firewall (WAF) rule to filter suspicious input in the 'pagetitle' parameter could provide an additional layer of defense. After upgrading, confirm the fix by attempting to inject a simple JavaScript payload into the 'pagetitle' field and verifying that it does not execute.

How to fix

Update to version 8.5, or a newer patched version

CVE Security Newsletter

Vulnerability analysis and critical alerts directly to your inbox.

Frequently asked questions

What is CVE-2026-2936 — XSS in Visitor Traffic Real Time Statistics?

CVE-2026-2936 is a Stored Cross-Site Scripting (XSS) vulnerability in the Visitor Traffic Real Time Statistics WordPress plugin, allowing attackers to inject malicious scripts.

Am I affected by CVE-2026-2936 in Visitor Traffic Real Time Statistics?

You are affected if you are using the Visitor Traffic Real Time Statistics plugin in WordPress versions 0.0.0 through 8.4.

How do I fix CVE-2026-2936 in Visitor Traffic Real Time Statistics?

Upgrade the Visitor Traffic Real Time Statistics plugin to version 8.5 or later to resolve the vulnerability.

Is CVE-2026-2936 being actively exploited?

While no public exploits are currently known, the vulnerability's simplicity suggests it may be targeted by attackers.

Where can I find the official Visitor Traffic Real Time Statistics advisory for CVE-2026-2936?

Refer to the plugin developer's website or WordPress plugin repository for the official advisory and update information.

Is your project affected?

Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.

Scan freeSearch CVEs