Description
The GoStats for WordPress plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.4. This is due to missing or incorrect nonce validation on the gostats_manage() function. This makes it possible for unauthenticated attackers to update the plugin's settings (gostats_siteid and gostats_server options) via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
Published: 2026-05-27
Score: 4.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The GoStats for WordPress plugin contains a cross‑site request forgery flaw caused by missing or incorrect nonce validation in the gostats_manage() function. An attacker can send a forged request that an administrator may unknowingly execute, allowing the attacker to modify the plugin's configuration options such as gostats_siteid and gostats_server. This can alter how the plugin reports statistics, potentially redirecting data to malicious endpoints or disrupting site operations.

Affected Systems

All users of the rchmura GoStats for WordPress plugin with versions up to and including 1.4 are affected. The vulnerability applies to any WordPress installation that has this plugin installed and has not upgraded beyond 1.4.

Risk and Exploitability

The issue has a CVSS score of 4.3, indicating a moderate severity. EPSS is not available and the vulnerability is not listed in the CISA KEV catalog. Attackers can exploit the flaw by crafting a malicious link or form that submits to the plugin's management endpoint. Successful exploitation requires an administrator to click the link or submit the form, after which the plugin settings are changed without authentication.

Generated by OpenCVE AI on May 27, 2026 at 08:06 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the GoStats for WordPress plugin to a version newer than 1.4.
  • If an update is not yet available, remove or disable the plugin until time‑to‑patch is released.
  • Ensure that admin users enable two‑factor authentication and use strong passwords.

Generated by OpenCVE AI on May 27, 2026 at 08:06 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 27 May 2026 11:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 27 May 2026 10:30:00 +0000

Type Values Removed Values Added
First Time appeared Rchmura
Rchmura gostats For Wordpress
Wordpress
Wordpress wordpress
Vendors & Products Rchmura
Rchmura gostats For Wordpress
Wordpress
Wordpress wordpress

Wed, 27 May 2026 06:30:00 +0000

Type Values Removed Values Added
Description The GoStats for WordPress plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.4. This is due to missing or incorrect nonce validation on the gostats_manage() function. This makes it possible for unauthenticated attackers to update the plugin's settings (gostats_siteid and gostats_server options) via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
Title GoStats for WordPress <= 1.4 - Cross-Site Request Forgery via gostats_manage() Function
Weaknesses CWE-352
References
Metrics cvssV3_1

{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N'}

Subscriptions

Rchmura Gostats For Wordpress
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-05-27T10:37:16.554Z

Reserved: 2026-05-19T12:09:51.976Z

Link: CVE-2026-8943

cve-icon Vulnrichment

Updated: 2026-05-27T10:37:11.985Z

cve-icon NVD

Status : Received

Published: 2026-05-27T07:16:18.803

Modified: 2026-05-27T07:16:18.803

Link: CVE-2026-8943

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-27T10:07:28Z

Weaknesses