Skip to main content

StatCounter WordPress Plugin CVE-2026-57629

| EUVDEUVD-2026-39745 MEDIUM
Cross-site Scripting (XSS) (CWE-79)
2026-06-26 audit@patchstack.com GHSA-xm6v-vxpj-38gq
6.5
CVSS 3.1 · Vendor: patchstack
Share

Severity by source

Vendor (patchstack) PRIMARY
6.5 MEDIUM
AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L
vuln.today AI
6.5 MEDIUM

Contributor-level authentication (PR:L), victim interaction required to trigger payload (UI:R), and scope change (S:C) reflect cross-session impact on administrator-level users.

3.1 AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L
4.0 AV:N/AC:L/AT:N/PR:L/UI:A/VC:L/VI:L/VA:L/SC:L/SI:L/SA:N

Primary rating from Vendor (patchstack).

CVSS VectorVendor: patchstack

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
Required
Scope
Changed
Confidentiality
Low
Integrity
Low
Availability
Low

Lifecycle Timeline

1
Analysis Generated
Jun 26, 2026 - 16:15 vuln.today

DescriptionCVE.org

Contributor Cross Site Scripting (XSS) in StatCounter <= 2.1.1 versions.

AnalysisAI

Cross-site scripting in the StatCounter WordPress plugin (versions up to and including 2.1.1) allows authenticated Contributor-level users to inject persistent malicious scripts into content that executes in the browser context of higher-privileged users who view that content. The CVSS scope change (S:C) indicates the payload can reach sessions beyond the attacker's own - most critically Administrator sessions - enabling session hijacking, credential theft, or unauthorized administrative actions such as creating backdoor accounts. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Obtain or register Contributor-level WordPress account
Delivery
Inject XSS payload into StatCounter plugin input field
Exploit
Save or publish content containing payload
Execution
Administrator views or edits poisoned content
Persist
Malicious script executes in administrator's browser
Impact
Exfiltrate session token or perform privileged actions

Vulnerability AssessmentAI

Exploitation Exploitation requires the attacker to hold a valid WordPress account with at minimum Contributor-level privileges (confirmed by PR:L in the CVSS vector) - this role must be explicitly assigned by an administrator or enabled through open registration. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The NVD CVSS 6.5 Medium score reflects a meaningful authentication barrier: exploitation requires a WordPress account with at least Contributor-level privileges (PR:L), which is not the default public-facing attack surface. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker registers or compromises a Contributor-level WordPress account on a site running StatCounter <= 2.1.1, then crafts a post or page embedding a JavaScript payload in an input field that the plugin fails to sanitize - such as a plugin settings field or shortcode parameter. When a site Administrator reviews, edits, or approves the content, the script silently executes in the administrator's browser, exfiltrating their session cookie to an attacker-controlled server and enabling full administrative takeover of the WordPress site.
Remediation Consult the Patchstack advisory at https://patchstack.com/database/wordpress/plugin/official-statcounter-plugin-for-wordpress/vulnerability/wordpress-statcounter-plugin-2-1-1-cross-site-scripting-xss-vulnerability for the latest patched release. … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-57629 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy