Description
The WP Statistics – The Most Popular Privacy-Friendly Analytics Plugin plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the User-Agent Header in all versions up to, and including, 14.5.4 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Published: 2025-09-27
Score: 7.2 High
EPSS: < 1% Very Low
KEV: No
Impact: Stored Cross‑Site Scripting (XSS)
Action: Patch now
AI Analysis

Impact

The plugin stores arbitrary scripts in its database that are later displayed on pages. An attacker can inject malicious code via an unsanitized User‑Agent header and, because the flaw is stored, the code persists for anyone who views a page. The primary impact is client‑side code execution, which can lead to session hijacking, cookie theft, or defacement.

Affected Systems

WP Statistics – Simple, privacy-friendly Google Analytics alternative for WordPress. Versions up to and including 14.5.4 are vulnerable.

Risk and Exploitability

The CVSS score of 7.2 classifies this as a high‑severity issue. The EPSS score of less than 1% indicates that real‑world exploitation is currently unlikely, and it is not listed in CISA’s KEV catalog. The flaw can be exploited by any unauthenticated user simply by crafting an HTTP request with a malicious User‑Agent header; no additional prerequisites are required. Attackers could therefore inject scripts that execute whenever any site visitor loads a page that retrieves the stored data, leading to widespread client‑side compromise.

Generated by OpenCVE AI on April 20, 2026 at 19:27 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade WP Statistics to version 14.5.5 or later to eliminate the stored XSS flaw.
  • If an update cannot be applied immediately, configure a web application firewall or server rule to strip or heavily sanitize the User‑Agent header before it is saved.
  • Add a strict Content Security Policy (e.g., default-src 'self'; script-src 'self') to block execution of unexpected scripts on the site.

Generated by OpenCVE AI on April 20, 2026 at 19:27 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-31405 The WP Statistics – The Most Popular Privacy-Friendly Analytics Plugin plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the User-Agent Header in all versions up to, and including, 14.5.4 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
History

Mon, 29 Sep 2025 14:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 29 Sep 2025 09:45:00 +0000

Type Values Removed Values Added
First Time appeared Veronalabs
Veronalabs wp Statistics
Wordpress
Wordpress wordpress
Vendors & Products Veronalabs
Veronalabs wp Statistics
Wordpress
Wordpress wordpress

Sat, 27 Sep 2025 04:45:00 +0000

Type Values Removed Values Added
Description The WP Statistics – The Most Popular Privacy-Friendly Analytics Plugin plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the User-Agent Header in all versions up to, and including, 14.5.4 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Title WP Statistics <= 14.5.4 - Unauthenticated Stored Cross-Site Scripting via User-Agent Header
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 7.2, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N'}

Subscriptions

Veronalabs Wp Statistics
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T17:26:47.331Z

Reserved: 2025-09-01T21:53:19.185Z

Link: CVE-2025-9816

cve-icon Vulnrichment

Updated: 2025-09-29T13:50:03.275Z

cve-icon NVD

Status : Deferred

Published: 2025-09-27T05:15:30.400

Modified: 2026-04-15T00:35:42.020

Link: CVE-2025-9816

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-20T19:30:06Z

Weaknesses