CVE-2026-5231

Name of the Vulnerable Software and Affected Versions WP Statistics versions prior to 14.16.5

Description Stored Cross-Site Scripting occurs due to insufficient input sanitization and output escaping. The referral parser copies the raw value of the 'utm source' parameter into the source name field when a wildcard channel domain matches. Subsequently, the chart renderer inserts this value into legend markup via innerHTML without escaping. This allows unauthenticated attackers to inject arbitrary web scripts into admin pages, which execute when an administrator accesses the Referrals Overview or Social Media analytics pages. Real-world incidents of this issue being exploited have been reported.

Recommendations Update to a version newer than 14.16.4.