CVE-2026-3488

| EUVD-2026-23337 MEDIUM
2026-04-17 Wordfence GHSA-v77j-mp3m-5c9v
Authentication Bypass WordPress
6.5
CVSS 3.1
Share

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
Low
Integrity
Low
Availability
None

Lifecycle Timeline

1
Analysis Generated
Apr 17, 2026 - 02:18 vuln.today

DescriptionNVD

The WP Statistics plugin for WordPress is vulnerable to Missing Authorization in all versions up to, and including, 14.16.4. This is due to missing capability checks on multiple AJAX handlers including wp_statistics_get_filters, wp_statistics_getPrivacyStatus, wp_statistics_updatePrivacyStatus, and wp_statistics_dismiss_notices. These endpoints only verify a wp_rest nonce via check_ajax_referer() but do not enforce any capability checks such as current_user_can() or the plugin's own User::Access() method. Since the wp_rest nonce is available to all authenticated WordPress users, this makes it possible for authenticated attackers, with Subscriber-level access and above, to access sensitive analytics data (user IDs, usernames, emails, visitor tracking data), retrieve and modify privacy audit compliance status, and dismiss administrative notices.

AnalysisAI

WP Statistics plugin for WordPress versions up to 14.16.4 fail to enforce capability checks on multiple AJAX endpoints, allowing authenticated Subscriber-level users to access sensitive analytics data, retrieve and modify privacy audit status, and dismiss administrative notices. The vulnerability stems from reliance on nonce verification alone without role-based access control, affecting all installations with the plugin active and at least one authenticated user account. …

Sign in for full analysis, threat intelligence, and remediation guidance.

Full analysis requires sign-in

Get intelligence summaries, risk assessment, exploit details, threat intel, and remediation guidance.

Sign in - Free

Share

CVE-2026-3488 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy