Skip to main content

WP Statistics CVE-2026-48839

| EUVDEUVD-2026-33652 HIGH
Cross-site Scripting (XSS) (CWE-79)
2026-06-01 audit@patchstack.com GHSA-55x5-63j2-vmw4
7.1
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
7.1 HIGH
AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Changed
Confidentiality
Low
Integrity
Low
Availability
Low

Lifecycle Timeline

1
Analysis Generated
Jun 01, 2026 - 15:33 vuln.today

DescriptionCVE.org

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in VeronaLabs WP Statistics allows DOM-Based XSS.

This issue affects WP Statistics: from n/a through 14.16.6.

AnalysisAI

DOM-based cross-site scripting in VeronaLabs WP Statistics plugin for WordPress through version 14.16.6 allows remote attackers to execute arbitrary JavaScript in a victim's browser when the user is lured into interacting with a malicious link or page. The CVSS 7.1 score reflects unauthenticated network exploitability with user interaction required and a scope change, but no public exploit code has been identified at time of analysis and the issue is not listed in CISA KEV.

Technical ContextAI

WP Statistics is a widely deployed WordPress analytics plugin from VeronaLabs that tracks site visitors, page views, and search queries. CWE-79 (Improper Neutralization of Input During Web Page Generation) here manifests specifically as DOM-Based XSS, meaning the unsafe sink is in client-side JavaScript that writes attacker-controllable data (likely sourced from URL fragments, query parameters, or document properties) into the DOM without proper encoding. Unlike reflected or stored XSS, the malicious payload never needs to round-trip through the server, which makes WAF-based detection harder and means even read-only or cached pages can be abused. No CPE data was provided in the input, but the advisory text identifies the affected component as the WP Statistics plugin up to and including 14.16.6.

RemediationAI

Upgrade WP Statistics to a version newer than 14.16.6 as soon as VeronaLabs publishes a fix; the provided intelligence does not name an exact patched release, so administrators should consult the Patchstack advisory at https://patchstack.com/database/wordpress/plugin/wp-statistics/vulnerability/wordpress-wp-statistics-plugin-14-16-6-cross-site-scripting-xss-vulnerability and the WordPress.org plugin changelog to confirm the corrected build before deploying. Until a patched version is installed, compensating controls include deploying a strict Content-Security-Policy (CSP) that disallows inline script and restricts script-src to trusted origins to neutralize injected DOM payloads (trade-off: may break legitimate inline analytics or admin UI scripts and requires testing), restricting access to the WordPress admin area by IP allowlist or VPN so administrators are unlikely to be lured into clicking attacker-supplied links into their own site, training administrators not to click untrusted links pointing back to their own WP installation, and temporarily deactivating the WP Statistics plugin if the dashboard analytics it provides are non-essential.

Share

CVE-2026-48839 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy