Description
The SlimStat Analytics plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'fh' (fingerprint) parameter in all versions up to, and including, 5.3.5 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Published: 2026-03-19
Score: 7.2 High
EPSS: < 1% Very Low
KEV: No
Impact: Stored XSS
Action: Patch
AI Analysis

Impact

Key detail from CVE description: The SlimStat Analytics plugin for WordPress is vulnerable to stored cross‑site scripting via the 'fh' parameter in all versions up to 5.3.5 due to insufficient input sanitization and output escaping. Attackers who can supply arbitrary values for 'fh' can inject malicious scripts that execute whenever an affected user views the injected page, potentially leading to session hijacking, defacement, or theft of credentials.

Affected Systems

The affected product is the SlimStat Analytics plugin from veronalabs. All releases up to and including version 5.3.5 are susceptible; no impact was reported for newer releases in the CVE record.

Risk and Exploitability

The CVSS score for this vulnerability is 7.2, which corresponds to a high severity rating. The EPSS score is not provided and the vulnerability is not listed in CISA’s KEV catalog, indicating no widespread, known exploitation. According to the CVE description the attack vector is unauthenticated input of the 'fh' parameter; an attacker can embed a payload that will execute in the context of any visitor to the affected page. Because the flaw does not require authentication, it poses an elevated risk to all users of the plugin.

Generated by OpenCVE AI on March 19, 2026 at 06:50 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade SlimStat Analytics to version 5.3.6 or later.
  • If an upgrade is not immediately possible, disable or remove the 'fh' parameter from the plugin or block the parameter with a firewall rule to prevent script injection.
  • Ensure that WordPress core and all other plugins are updated to their latest secure versions.
  • Monitor website logs and user sessions for signs of XSS activity and conduct regular security scans.

Generated by OpenCVE AI on March 19, 2026 at 06:50 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 19 Mar 2026 16:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 19 Mar 2026 09:45:00 +0000

Type Values Removed Values Added
First Time appeared Veronalabs
Veronalabs slimstat Analytics
Wordpress
Wordpress wordpress
Vendors & Products Veronalabs
Veronalabs slimstat Analytics
Wordpress
Wordpress wordpress

Thu, 19 Mar 2026 05:00:00 +0000

Type Values Removed Values Added
Description The SlimStat Analytics plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'fh' (fingerprint) parameter in all versions up to, and including, 5.3.5 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Title SlimStat Analytics <= 5.3.5 - Unauthenticated Stored Cross-Site Scripting via 'fh'
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 7.2, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N'}

Subscriptions

Veronalabs Slimstat Analytics
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T17:30:48.873Z

Reserved: 2026-01-20T17:06:15.495Z

Link: CVE-2026-1238

cve-icon Vulnrichment

Updated: 2026-03-19T16:06:00.261Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-03-19T05:15:59.567

Modified: 2026-03-19T13:25:00.570

Link: CVE-2026-1238

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-25T11:55:26Z

Weaknesses