PT-2026-44751 · WordPress · Statcounter

Zast.Ai

·

Published

2026-05-29

·

Updated

2026-05-29

·

CVE-2026-6275

CVSS v3.1

6.4

Medium

VectorAV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N
Name of the Vulnerable Software and Affected Versions StatCounter – Free Real Time Visitor Stats versions prior to 2.1.2
Description The plugin is subject to Stored Cross-Site Scripting, a flaw where malicious scripts are permanently stored on the target server. This occurs due to insufficient output escaping of the post author's nickname within the statcounter addToTags() function. The function, which is hooked to wp head and executes on every post page, retrieves the author's nickname using the author meta() and echoes it into a JavaScript double-quoted string context inside a <script> block without using esc js() or equivalent escaping. Consequently, authenticated attackers with Author-level access or higher can inject arbitrary web scripts that execute when any user, including unauthenticated visitors, views a post authored by the attacker.
Recommendations Update the plugin to a version later than 2.1.1. As a temporary workaround, restrict users from having Author-level access or higher until the update is applied.

Fix

XSS

Found an issue in the description? Have something to add? Feel free to write us 👾

Weakness Enumeration

Related Identifiers

CVE-2026-6275

Affected Products

Statcounter