CVE-2026-3488

Name of the Vulnerable Software and Affected Versions WP Statistics versions prior to 14.16.5

Description The plugin is subject to missing authorization due to a lack of capability checks on several AJAX handlers. The affected endpoints are 'wp statistics get filters', 'wp statistics getPrivacyStatus', 'wp statistics updatePrivacyStatus', and 'wp statistics dismiss notices'. These handlers verify a wp rest nonce but fail to enforce checks such as current user can() or the User::Access() method. Consequently, authenticated users with Subscriber-level access or higher can access sensitive analytics data, including user IDs, usernames, emails, and visitor tracking data, as well as retrieve and modify privacy audit compliance status and dismiss administrative notices.

Recommendations Update to a version later than 14.16.4.