Platform
wordpress
Component
wp-statistics
Fixed in
14.16.5
14.16.5
CVE-2026-5231 represents a Stored Cross-Site Scripting (XSS) vulnerability discovered in the WP Statistics plugin for WordPress. This flaw allows unauthenticated attackers to inject arbitrary web scripts, potentially compromising administrator accounts and data. The vulnerability affects versions of the plugin up to and including 14.16.4, but a patch is available in version 14.16.5.
CVE-2026-5231 in the WP Statistics WordPress plugin allows for a Stored Cross-Site Scripting (XSS) vulnerability. This means an attacker can inject malicious code (JavaScript) into the website that will execute in the browsers of other visitors. The vulnerability lies in how the plugin handles the 'utmsource' parameter in referral URLs. If an attacker provides a malicious value for 'utmsource' that matches a wildcard channel domain, this value is copied without proper sanitization into the 'source_name' field. Subsequently, this value is inserted into the chart legend markup using innerHTML without escaping, allowing the malicious script to execute. An attacker could use this to steal cookies, redirect users to malicious websites, or modify website content.
The vulnerability is exploited through manipulation of the 'utmsource' parameter in referral URLs. An attacker can craft a malicious URL containing JavaScript code within the 'utmsource' value. When a user visits this URL and the WP Statistics plugin processes it, the JavaScript code will be stored and subsequently executed when charts are displayed on the website. The success of exploitation depends on the plugin's configuration and the presence of a wildcard channel domain that matches the malicious 'utm_source' value. The lack of authentication means any user, even non-registered, can potentially exploit this vulnerability.
Exploit Status
EPSS
0.03% (9% percentile)
CISA SSVC
CVSS Vector
The solution is to update the WP Statistics plugin to version 14.16.5 or higher. This version includes a fix that properly sanitizes the 'utm_source' input and escapes the output before inserting it into the HTML. It is recommended to perform this update as soon as possible to mitigate the risk of exploitation. Additionally, review your website logs for any suspicious activity. If an intrusion is suspected, take further steps such as changing all user passwords and scanning the website for malware. Maintaining all plugins and the WordPress core up-to-date is crucial for website security.
Update to version 14.16.5, or a newer patched version
Vulnerability analysis and critical alerts directly to your inbox.
XSS (Cross-Site Scripting) is a type of security vulnerability that allows attackers to inject malicious scripts into websites visited by other users.
An attacker could steal sensitive information, redirect users to malicious websites, or modify the content of your website.
Change all user passwords, scan your website for malware, and consider restoring from a clean backup.
Yes, after updating to version 14.16.5 or higher, WP Statistics is safe to use.
You can download the latest version of WP Statistics from the official WordPress repository: [https://wordpress.org/plugins/wp-statistics/](https://wordpress.org/plugins/wp-statistics/)
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.