WP Statistics Plugin Stored XSS Vulnerability (CVE-2026-5231)
The WP Statistics WordPress plugin is vulnerable to stored cross-site scripting (XSS) via the 'utm_source' parameter, allowing unauthenticated attackers to inject arbitrary web scripts into admin pages.
The WP Statistics plugin for WordPress, versions up to and including 14.16.4, is susceptible to a stored cross-site scripting (XSS) vulnerability identified as CVE-2026-5231. This flaw stems from inadequate input sanitization and output escaping of the 'utm_source' parameter. The vulnerability is triggered because the plugin's referral parser copies the unsanitized 'utm_source' value directly into the 'source_name' field when a wildcard channel domain matches. Subsequently, the chart renderer uses this value in the legend markup via innerHTML without proper escaping. This allows unauthenticated attackers to inject malicious JavaScript code, which executes within the context of an administrator's browser when they access the Referrals Overview or Social Media analytics pages within the WordPress admin panel. This poses a significant risk to the confidentiality and integrity of the WordPress site.
Attack Chain
- An unauthenticated attacker crafts a malicious URL containing a JavaScript payload within the
utm_sourceparameter. - A user visits the website using the malicious URL, triggering the WP Statistics plugin's referral parser.
- The plugin's referral parser processes the URL and copies the unsanitized
utm_sourcevalue, including the injected JavaScript, into thesource_namefield in the database. - An administrator logs into the WordPress admin panel.
- The administrator navigates to the Referrals Overview or Social Media analytics pages, which utilize the WP Statistics plugin's chart renderer.
- The chart renderer retrieves the
source_namefield from the database, which contains the injected JavaScript. - The chart renderer inserts the malicious JavaScript into the legend markup via innerHTML without proper escaping.
- The administrator's browser executes the injected JavaScript, potentially allowing the attacker to perform actions such as stealing administrator cookies, modifying website content, or redirecting the administrator to a malicious website.
Impact
Successful exploitation of this stored XSS vulnerability allows an unauthenticated attacker to execute arbitrary JavaScript code within the context of an administrator's browser. This could lead to complete compromise of the WordPress website, including unauthorized access to sensitive data, modification of website content, and installation of malicious plugins or themes. The impact is significant due to the widespread use of the WP Statistics plugin and the potential for attackers to gain complete control over affected websites. While no specific victim numbers are available, the large user base of WordPress suggests a potentially broad impact across various sectors.
Recommendation
- Apply the latest patch or upgrade to a version of the WP Statistics plugin that addresses CVE-2026-5231 to remediate the vulnerability.
- Deploy the provided Sigma rule
Detect Suspicious utm_source Parameterto identify potential exploitation attempts targeting theutm_sourceparameter in web server logs. - Implement input validation and output escaping mechanisms within the WP Statistics plugin to prevent similar XSS vulnerabilities in the future.
- Monitor web server logs for requests containing suspicious characters or patterns within the
utm_sourceparameter, as highlighted in the Sigma rule.
Detection coverage 2
Detect Suspicious utm_source Parameter
mediumDetects requests with potentially malicious payloads in the utm_source parameter, indicative of XSS attempts.
Detect Suspicious URI Containing utm_source Parameter
mediumDetects requests with a potentially malicious utm_source parameter in the URI.
Detection queries are available on the platform. Get full rules →