Description
The WP Statistics plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'utm_source' parameter in all versions up to, and including, 14.16.4. This is due to insufficient input sanitization and output escaping. The plugin's referral parser copies the raw utm_source value into the source_name field when a wildcard channel domain matches, and the chart renderer later inserts this value into legend markup via innerHTML without escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in admin pages that will execute whenever an administrator accesses the Referrals Overview or Social Media analytics pages.
Published: 2026-04-17
Score: 7.2 High
EPSS: < 1% Very Low
KEV: No
Impact: Stored Cross‑Site Scripting that executes when an administrator views analytics pages
Action: Patch Immediately
AI Analysis

Impact

The WP Statistics plugin fails to sanitize the utm_source parameter that is passed by external referral URLs. The raw value is written to a database field and later rendered inside an HTML legend via innerHTML without escaping, allowing an unauthenticated attacker to embed malicious JavaScript that will run in the browser of any administrator who visits the Referrals Overview or Social Media analytics pages. This Stored Cross‑Site Scripting can be used to hijack administrator sessions, steal data, or perform other malicious actions within the WordPress site.

Affected Systems

WordPress sites that use the WP Statistics plugin from veronalabs, specifically versions up to and including 14.16.4.

Risk and Exploitability

The vulnerability carries a CVSS score of 7.2, indicating a high impact. No EPSS score is currently available and the issue is not listed in the CISA KEV catalog. An attacker can exploit the flaw by crafting a referral URL with a malicious utm_source value and directing legitimate traffic to that URL. When an administrator later accesses the compromised analytics page, the injected script executes in the administrator’s browser context, granting the attacker the ability to run arbitrary code within the bound of that session.

Generated by OpenCVE AI on April 17, 2026 at 03:20 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade WP Statistics to a version newer than 14.16.4, ensuring the utm_source handling and output escaping have been corrected.
  • Restrict access to the Referrals Overview and Social Media analytics pages to trusted administrators, and enforce strict role‑based access controls in WordPress.
  • Implement server‑side or application‑level filtering to sanitize the utm_source parameter (for example, strip script tags or encode the value) before it is stored or rendered by the plugin.

Generated by OpenCVE AI on April 17, 2026 at 03:20 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 17 Apr 2026 15:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 17 Apr 2026 08:15:00 +0000

Type Values Removed Values Added
First Time appeared Veronalabs
Veronalabs wp Statistics – Simple, Privacy-friendly Google Analytics Alternative
Wordpress
Wordpress wordpress
Vendors & Products Veronalabs
Veronalabs wp Statistics – Simple, Privacy-friendly Google Analytics Alternative
Wordpress
Wordpress wordpress

Fri, 17 Apr 2026 02:15:00 +0000

Type Values Removed Values Added
Description The WP Statistics plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'utm_source' parameter in all versions up to, and including, 14.16.4. This is due to insufficient input sanitization and output escaping. The plugin's referral parser copies the raw utm_source value into the source_name field when a wildcard channel domain matches, and the chart renderer later inserts this value into legend markup via innerHTML without escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in admin pages that will execute whenever an administrator accesses the Referrals Overview or Social Media analytics pages.
Title WP Statistics <= 14.16.4 - Unauthenticated Stored Cross-Site Scripting via 'utm_source' Parameter
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 7.2, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N'}

Subscriptions

Veronalabs Wp Statistics – Simple, Privacy-friendly Google Analytics Alternative
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-17T14:30:43.119Z

Reserved: 2026-03-31T13:31:45.563Z

Link: CVE-2026-5231

cve-icon Vulnrichment

Updated: 2026-04-17T14:30:31.668Z

cve-icon NVD

Status : Received

Published: 2026-04-17T02:16:06.227

Modified: 2026-04-17T02:16:06.227

Link: CVE-2026-5231

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-17T08:01:18Z

Weaknesses