Is WordPress affected by EUVD-2026-18995?

The Visitor Traffic Real Time Statistics WordPress plugin (version 8.4 and earlier) contains a stored cross-site scripting vulnerability that allows unauthenticated attackers to inject malicious code executed in administrator browsers, potentially enabling account compromise and unauthorized site…

EUVD-2026-18995

| CVE-2026-2936 HIGH

2026-04-04 Wordfence

GHSA-pxhv-8xjp-pj79

7.2

CVSS 3.1

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Changed

Confidentiality

Low

Integrity

Low

Availability

None

Lifecycle Timeline

EUVD ID Assigned

Apr 04, 2026 - 11:30 euvd

EUVD-2026-18995

Analysis Generated

Apr 04, 2026 - 11:30 vuln.today

CVE Published

Apr 04, 2026 - 11:16 nvd

HIGH 7.2

Description

The Visitor Traffic Real Time Statistics plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'page_title' parameter in all versions up to, and including, 8.4 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever an admin user accesses the Traffic by Title section.

Analysis

Stored Cross-Site Scripting in Visitor Traffic Real Time Statistics WordPress plugin (≤8.4) allows unauthenticated remote attackers to inject malicious JavaScript via the 'page_title' parameter that executes when administrators view the Traffic by Title section. No public exploit identified at time of analysis, though CVSS 7.2 (High) severity reflects the unauthenticated attack vector and cross-site scripting scope. …

Remediation

Within 24 hours: Identify all WordPress installations using Visitor Traffic Real Time Statistics plugin ≤8.4 and document current version. Within 7 days: Contact the plugin vendor to confirm patched version availability and test in a staging environment; consider temporarily disabling the plugin if patched version is unavailable. …

Analysis

Detailed AI-generated intelligence summary covering attack vector, impact assessment, affected versions, remediation steps, and indicators of compromise.

POChttps://••••••••••.com/exploit

PATCHhttps://••••••••••.com/patch

ADVISORYhttps://••••••••••.com/advisory

Full analysis requires sign-in

Get intelligence summaries, risk assessment, exploit details, threat intel, and remediation guidance.

Priority Score

Low Medium High Critical

KEV: 0

EPSS: +0.1

CVSS: +36

POC: 0

EUVD-2026-18995 vulnerability details – vuln.today

Back

EUVD-2026-18995

CVSS Vector

Lifecycle Timeline

Tags

Description

Analysis

Remediation

Analysis

Full analysis requires sign-in

Priority Score

Share

EUVD-2026-18995

CVSS Vector

Lifecycle Timeline

Tags

Description

Analysis

Remediation

Full analysis requires sign-in

Priority Score

Share

External POC / Exploit Code