PT-2026-44751 · WordPress · Statcounter
Zast.Ai
·
Published
2026-05-29
·
Updated
2026-05-29
·
CVE-2026-6275
CVSS v3.1
6.4
Medium
| Vector | AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N |
Name of the Vulnerable Software and Affected Versions
StatCounter – Free Real Time Visitor Stats versions prior to 2.1.2
Description
The plugin is subject to Stored Cross-Site Scripting, a flaw where malicious scripts are permanently stored on the target server. This occurs due to insufficient output escaping of the post author's nickname within the
statcounter addToTags() function. The function, which is hooked to wp head and executes on every post page, retrieves the author's nickname using the author meta() and echoes it into a JavaScript double-quoted string context inside a <script> block without using esc js() or equivalent escaping. Consequently, authenticated attackers with Author-level access or higher can inject arbitrary web scripts that execute when any user, including unauthenticated visitors, views a post authored by the attacker.Recommendations
Update the plugin to a version later than 2.1.1.
As a temporary workaround, restrict users from having Author-level access or higher until the update is applied.
Fix
XSS
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Statcounter