A high-severity vulnerability has been identified in the WP Statistics plugin for WordPress, affecting all versions up to and including 14. This flaw allows an unauthenticated attacker to inject malicious code into the website's analytics data, which executes when an administrator views the statistics dashboard. Successful exploitation could lead to a complete compromise of the website, allowing for data theft, user impersonation, or other malicious activities.

The vulnerability is a Stored Cross-Site Scripting (XSS) flaw due to insufficient input sanitization of the User-Agent header. An attacker can send a request to the WordPress site with a specially crafted User-Agent string containing a malicious script. The WP Statistics plugin logs this header data and stores it in the database without proper validation. When a privileged user, such as an administrator, accesses the statistics page within the WordPress dashboard, the malicious script is retrieved from the database and executed within the context of their browser session, granting the attacker the same privileges as the victim.

This vulnerability is rated as a High severity with a CVSS score of 7.2. A successful exploit could lead to a complete administrative takeover of the affected WordPress site. Potential consequences include theft of sensitive data (user information, customer data), website defacement, injection of malware to infect site visitors, and reputational damage. The ability for an unauthenticated attacker to compromise a high-privilege account presents a significant risk to business operations, data integrity, and customer trust.

Immediate Action: Immediately update the "WP Statistics" plugin to the latest available version (version 15 or higher), which contains a patch for this vulnerability. If the plugin is not essential for business operations, consider deactivating and removing it to eliminate the attack surface.

Proactive Monitoring: Monitor web server access logs for unusually long or suspicious User-Agent strings containing script tags or HTML characters (e.g., <script>, onerror, <img>). Review the data within the WP Statistics dashboard for any anomalous entries that appear to be code rather than legitimate user agent information.

Compensating Controls: If immediate patching is not feasible, implement a Web Application Firewall (WAF) with rules designed to inspect and block malicious User-Agent headers and common XSS payloads. Additionally, restrict access to the WordPress administrative dashboard (/wp-admin/) to trusted IP addresses to limit the exposure of privileged users to the stored malicious script.

Public Exploit Available: false

It is strongly recommended that organizations immediately apply the vendor-supplied patch by updating the WP Statistics plugin to the latest version. The high severity rating (CVSS 7.2) and the potential for a full site compromise necessitate urgent action. While this CVE is not currently on the CISA KEV list, the widespread use of this plugin makes it a high-value target for attackers. Prioritize this update across all WordPress instances to mitigate the risk of administrative account takeover and subsequent data breaches.