CVE-2026-1238

Name of the Vulnerable Software and Affected Versions SlimStat Analytics versions prior to 5.3.6

Description The SlimStat Analytics plugin for WordPress is susceptible to Stored Cross-Site Scripting. This is due to insufficient input sanitization and output escaping related to the fh (fingerprint) parameter. An unauthenticated attacker can inject arbitrary web scripts into pages, which will execute when a user accesses the injected page.

Recommendations Update SlimStat Analytics to version 5.3.6 or later.