Description
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in VeronaLabs WP Statistics allows DOM-Based XSS.

This issue affects WP Statistics: from n/a through 14.16.6.
Published: 2026-06-01
Score: 7.1 High
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability is a DOM‑based Cross‑Site Scripting flaw caused by improper neutralization of user input during web page generation. An attacker can insert malicious JavaScript that runs in the browser of anyone who views the affected page. Depending on the site configuration, this could allow credential theft, session hijack, or defacement of the site.

Affected Systems

The flaw affects the VeronaLabs WP Statistics plugin for WordPress installations, version 14.16.6 or older. Any WordPress site that has this plugin installed and not updated to at least 14.16.7 is potentially exposed.

Risk and Exploitability

The CVSS score of 7.1 rates the vulnerability as high. EPSS is not available, and the flaw is not listed in CISA KEV, indicating no widely known exploits. The typical attack vector for DOM‑based XSS is to craft a special URL or input that is reflected in the page, so a normal site visitor who follows a malicious link could be impacted. While no active exploits are reported, the potential for client‑side compromise makes this a significant risk, especially for sites with high traffic.

Generated by OpenCVE AI on June 1, 2026 at 16:35 UTC.

Remediation

Vendor Solution

Update the WordPress WP Statistics Plugin to the latest available version (at least 14.16.7).

OpenCVE Recommended Actions

  • Update the WP Statistics plugin to version 14.16.7 or later.
  • If upgrading immediately is not possible, temporarily disable or remove the plugin from all production WordPress sites.
  • Deploy a Web Application Firewall or similar filtering to block common XSS payloads and monitor for suspicious script execution during user sessions.

Generated by OpenCVE AI on June 1, 2026 at 16:35 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 01 Jun 2026 17:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 01 Jun 2026 17:00:00 +0000

Type Values Removed Values Added
First Time appeared Veronalabs
Veronalabs wp Statistics
Wordpress
Wordpress wordpress
Vendors & Products Veronalabs
Veronalabs wp Statistics
Wordpress
Wordpress wordpress

Mon, 01 Jun 2026 15:00:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in VeronaLabs WP Statistics allows DOM-Based XSS. This issue affects WP Statistics: from n/a through 14.16.6.
Title WordPress WP Statistics plugin <= 14.16.6 - Cross Site Scripting (XSS) vulnerability
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L'}

Subscriptions

Veronalabs Wp Statistics
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-06-01T16:18:50.112Z

Reserved: 2026-05-25T14:28:27.466Z

Link: CVE-2026-48839

cve-icon Vulnrichment

Updated: 2026-06-01T16:18:43.959Z

cve-icon NVD

Status : Deferred

Published: 2026-06-01T15:16:38.010

Modified: 2026-06-01T16:41:55.090

Link: CVE-2026-48839

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-01T16:45:16Z

Weaknesses