Visitor Traffic Real Time Statistics <= 8.4 - Cross-Site Scripting (XSS) Armazenado Não Autenticado
Plataforma
wordpress
Componente
visitors-traffic-real-time-statistics
Corrigido em
8.4.1
CVE-2026-2936 describes a Stored Cross-Site Scripting (XSS) vulnerability affecting the Visitor Traffic Real Time Statistics plugin for WordPress. This vulnerability allows unauthenticated attackers to inject arbitrary web scripts, potentially leading to account compromise and data theft. The vulnerability impacts versions 0.0.0 through 8.4 and has been resolved in version 8.5.
Detecte esta CVE no seu projeto
Envie seu arquivo de dependências e descubra na hora se esta e outras CVEs te atingem.
Impacto e Cenários de Ataquetraduzindo…
An attacker can exploit this XSS vulnerability by injecting malicious JavaScript code into the 'page_title' parameter within the plugin. When an administrator accesses the Traffic by Title section, the injected script will execute in their browser context. This allows the attacker to steal session cookies, redirect the administrator to a phishing site, or deface the website. The impact is particularly severe because it targets administrator accounts, granting the attacker significant control over the WordPress site. Successful exploitation could lead to complete website takeover and data breaches.
Contexto de Exploraçãotraduzindo…
CVE-2026-2936 was publicly disclosed on 2026-04-04. No public proof-of-concept (PoC) code has been released at the time of writing, but the vulnerability's simplicity suggests it is likely to be exploited. It is not currently listed on the CISA KEV catalog. The ease of exploitation makes it a potential target for automated scanning and exploitation campaigns.
Quem Está em Riscotraduzindo…
WordPress websites utilizing the Visitor Traffic Real Time Statistics plugin, particularly those running older versions (0.0.0–8.4), are at risk. Sites with limited security monitoring and those where administrators frequently access the Traffic by Title section are especially vulnerable.
Passos de Detecçãotraduzindo…
• wordpress / composer / npm:
grep -r "page_title'" /var/www/html/wp-content/plugins/visitor-traffic-real-time-statistics/• wordpress / composer / npm:
wp plugin list --status=active | grep 'visitor-traffic-real-time-statistics'• wordpress / composer / npm:
wp plugin update visitor-traffic-real-time-statistics --allLinha do Tempo do Ataque
- Disclosure
disclosure
Inteligência de Ameaças
Status do Exploit
EPSS
0.02% (percentil 6%)
CISA SSVC
Vetor CVSS
O que significam essas métricas?
- Attack Vector
- Rede — explorável remotamente pela internet. Sem acesso físico ou local necessário.
- Attack Complexity
- Baixa — sem condições especiais. O atacante pode explorar de forma confiável.
- Privileges Required
- Nenhum — sem autenticação necessária para explorar.
- User Interaction
- Nenhuma — ataque automático e silencioso. A vítima não faz nada.
- Scope
- Alterado — o ataque pode pivotar para além do componente vulnerável.
- Confidentiality
- Baixo — acesso parcial ou indireto a alguns dados.
- Integrity
- Baixo — o atacante pode modificar alguns dados com alcance limitado.
- Availability
- Nenhum — sem impacto na disponibilidade.
Software Afetado
Informações do pacote
- Instalações ativas
- 30KConhecido
- Avaliação do plugin
- 4.2
- Requer WordPress
- 3.0.1+
- Compatível até
- 6.9.4
Classificação de Fraqueza (CWE)
Linha do tempo
- Reservado
- Publicada
- Modificada
- EPSS atualizado
Mitigação e Soluções Alternativastraduzindo…
The primary mitigation for CVE-2026-2936 is to immediately upgrade the Visitor Traffic Real Time Statistics plugin to version 8.5 or later. If upgrading is not immediately feasible, consider temporarily restricting access to the Traffic by Title section to prevent administrators from being exposed to the vulnerability. While a direct workaround isn't available, implementing a Web Application Firewall (WAF) rule to filter suspicious input in the 'pagetitle' parameter could provide an additional layer of defense. After upgrading, confirm the fix by attempting to inject a simple JavaScript payload into the 'pagetitle' field and verifying that it does not execute.
Como corrigir
Atualize para a versão 8.5, ou uma versão corrigida mais recente
Boletim de Segurança CVE
Análise de vulnerabilidades e alertas críticos diretamente no seu e-mail.
Perguntas frequentestraduzindo…
What is CVE-2026-2936 — XSS in Visitor Traffic Real Time Statistics?
CVE-2026-2936 is a Stored Cross-Site Scripting (XSS) vulnerability in the Visitor Traffic Real Time Statistics WordPress plugin, allowing attackers to inject malicious scripts.
Am I affected by CVE-2026-2936 in Visitor Traffic Real Time Statistics?
You are affected if you are using the Visitor Traffic Real Time Statistics plugin in WordPress versions 0.0.0 through 8.4.
How do I fix CVE-2026-2936 in Visitor Traffic Real Time Statistics?
Upgrade the Visitor Traffic Real Time Statistics plugin to version 8.5 or later to resolve the vulnerability.
Is CVE-2026-2936 being actively exploited?
While no public exploits are currently known, the vulnerability's simplicity suggests it may be targeted by attackers.
Where can I find the official Visitor Traffic Real Time Statistics advisory for CVE-2026-2936?
Refer to the plugin developer's website or WordPress plugin repository for the official advisory and update information.
Seu projeto está afetado?
Envie seu arquivo de dependências e descubra na hora se esta e outras CVEs te atingem.